DECEMBER 2020 PCWorld 129over your machine unless your
PC is patched.
Many attacks against PCs
require local access, or the
actual presence of a bad guy
sitting at your keyboard. What
the U.S. CISA is worried about is
the presence of an HEVC file
specifically designed to take
over your PC. And it’s no idle
threat; our colleagues at Macworld report that
recording video using HEVC occurs by
default on iOS 11 and later, meaning that you
most likely won’t be suspicious of an HEVC
video attached to an email or on the Internet.
If you don’t own an iPhone, chances are
that you’re not vulnerable. You’ll need to have
downloaded the optional HEVC or “HEVC
from Device Manufacturer” media codecs
from the Microsoft Store to be vulnerable.
To patch the problem, you’ll need to
download the updated codec from the Store,
too. The patched versions of the codec
include versions
1.0.32762.0,
1.0.32763.0, and later.
To check to see if you
have the updated
version, go to the
Windows 10 Settings
menu, then to Apps &
Features and then to
HEVC, and Advanced
Options. You’ll see the
version number there. You can also launch
PowerShell from within Windows and type in
the following command to see the version
number, too:
Get-AppxPackage -Name
Microsoft.HEVCVideoExtension*
U.S. CISA also warns (go.pcworld.com/
json) that a second, unrelated vulnerability
applies to Visual Studio, and a malformed
JSON file. Although Visual Studio usually only
applies to developers, if you’re a user of that
program, you’ll need to be wary of JSON files
until Microsoft develops a patch.Make sure you have the latest version of HVEC.The U.S. government says the Microsoft Windows Codecs Library includes
a vulnerability that affects how it handles objects stored in memory.