Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Microsoft Windows Codecs Library Vulnerability showing up on scan, even after updating the apps.

Copper Contributor

Hello Tech Community,

 

I hope I'm posting this in the right place. I need help with some vulnerability issues. This is happening for a few things, and I'm at a loss as to what to do next. This example is the Qualys QID 91866 Microsoft Windows Codecs Library HEVC Video and VP9 Extensions Remote Code Execution (RCE) Vulnerability for February 2022.

I have updated all the relevant codecs, checked their current versions in PowerShell and confirmed with the CVE that they are up to date, but the VM keeps retrieving this in its scan. The only place I can find older version remnants is the registry, and I don't particularly want to go in and remove a bunch of keys. I'm also not able uninstall the codecs or the other apps this issue keeps happening on. 

 

In this case, the scan shows 

Microsoft vulnerable Microsoft.VP9VideoExtensions detected 
Version     '1.0.13333.0' 

 Installed version is 1.0.42351.0 . 

 

This is also happening with the Office App and Photos App. Any ideas as to how best to remediate?

 

Thanks for the help!

 

-OrestisO

 

5 Replies

@OrestisO 

 

Did you ever find a fix for this?  We have the same issue and even removed the old version only to find out it still shows as vulnerable.  It might be picking it up in user profiles which makes it more difficult to remove.

Hi @Kurt Carpenter , what worked for me was to completely uninstall the package using Powershell and then reinstall it from Microsoft Store. I don't need the app, but that solved the problem. The same thing happened with a variety of other codecs. I don't think the uninstall from Programs and Features is a completely clean one, so Powershell was the way to go. Unfortunately, in all my cases there was only a single profile per machine so I don't know if it's installed in each user profile. 

 

What might be an easier way to deal with this is winget. This page has a good breakdown on how to use it, whether for targeted apps or just an overall update. 

 

https://pureinfotech.com/update-apps-winget-windows-11/

 

I hope this helps!

@Kurt Carpenter Ditto.  Looks like a reference to the old version is lingering in wmi, which is our problem since the detection logic in our case is querying wmi.  I'm waiting on a fix from MS.  More broadly, we can't update raw image file, VP9, HEIF, extensions... since we don't use MS Store. 

@arneb3 did you ever get a solution to this? Our Qualys scans are still bringing up Windows Store Apps (eg codecs) that we can't update. Is there a way to remove them from WMI?

@QulaysUser In addition to pushing latest versions via sccm, we had to deploy a removal package via sccm (powershell scripted repeating loops because multiple old versions on some machines).  It was painstaking...