Government warns of remote attack against Windows PCs editing iPhone video

If you're an iPhone owner and use a Windows PC, go to the Windows Store and make sure you have the latest patch.

Credit: Jason Snell

If you own a Windows PC as well as a recent iPhone, the U.S. government wants you to open the Windows Store today and make sure that you have the most recent version of the HEVC video codec.

The U.S. government (specifically the Cybersecurity and Infrastructure Security Agency) has warned that the Microsoft Windows Codecs Library includes a vulnerability that affects how it handles objects stored in memory. Specifically, a specially-crafted image file could be used to remotely take over your machine unless your PC is patched.

Many attacks against PCs require local access, or the actual presence of a bad guy sitting at your keyboard. What the U.S. CISA is worried about is the presence of an HEVC file specifically designed to take over your PC. And it’s no idle threat; our colleagues at Macworld report that recording video using HEVC occurs by default on iOS 11 and later, meaning that you most likely won’t be suspicious of an HEVC video attached to an email or on the Internet.

If you don’t own an iPhone, chances are that you’re not vulnerable. You’ll need to have downloaded the optional HEVC or “HEVC from Device Manufacturer” media codecs from the Microsoft Store to be vulnerable.

To patch the problem, you’ll need to download the updated codec from the Store, too. The patched versions of the codec include versions 1.0.32762.0, 1.0.32763.0, and later. To check to see if you have the updated version, go to the Windows 10 Settings menu, then to Apps & Features and then to HEVC, and Advanced Options. You’ll see the version number there. You can also launch PowerShell from within Windows and type in the following command to see the version number, too: 

Get-AppxPackage -Name Microsoft.HEVCVideoExtension*

U.S. CISA also warns that a second, unrelated vulnerability applies to Visual Studio, and a malformed JSON file. Although Visual Studio usually only applies to developers, if you’re a user of that program, you’ll need to be wary of JSON files until Microsoft develops a patch.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Mark Hachman

Mark Hachman

PC World (US online)
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?