Microsoft has released unscheduled fixes for two critical vulnerabilities that allow attackers to run malicious code on computers running any version of Windows 10.
Unlike most Windows patches, those released on Tuesday were made available through the Microsoft Store. The normal channel for operating system security fixes is Windows Update. Notes here and here said that users don't need to take any action to get and install fixes automatically.
“Affected customers are automatically updated by the Microsoft Store. Customers don't have to do anything to get the update, ”says both recommendations. “Alternatively, customers who want to receive the update immediately can use the Microsoft Store app to check for updates. More information on this process can be found here. "
However, when I checked both the Microsoft Store and the Windows Update on my Windows 10 laptop, I saw no confirmation that the patch was installed. Typically, Windows 10 users can use the Windows Update tab in the Update and security settings section to ensure that patches have been installed. The link given in the information provided no clarity. Microsoft representatives did not immediately answer questions for clarification.
Both of these vulnerabilities are in Windows code libraries that manage codecs that are used to render images or other multimedia content. Attackers can take advantage of the bugs to execute code of their choice or obtain information stored on vulnerable systems. Exploits can be provided in specially designed image files that damage computer memory. Presumably, the images could be delivered to compromised websites that visit a target, or when targets open a malicious file that is emailed. Tuesday's recommendations did not specify whether exploits would only work if targets opened the bad images in certain apps or an app.
Microsoft accused Abdul-Aziz Hariri of Trend Micro's Zero Day Initiative of having discovered the errors and reported them privately. Both notices indicate that there are no indications that the bug is being actively exploited in the wild. Since there is no clear way to verify that the patches have been installed, Windows 10 users must first use Microsoft's word that they will be installed automatically. This post will be updated when Microsoft answers our questions.