In light of CVE-2023-4863, I started looking into updating the Microsoft.WebpImageExtension app on Windows 10/Windows 11 via a command line. In the process, I discovered a few things about winget and PowerShell commands for Appx and thought I’d share them here.
The vulnerability I’m concerned with is documented at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863 and https://nvd.nist.gov/vuln/detail/CVE-2023-4863. Specifically, I’m concerned with updating the Microsoft.WebpImageExtension app, because while the Microsoft Store is supposed to keep things up-to-date, and maybe eventually it gets around to doing that, it doesn’t do so quickly enough to satisfy me.
Microsoft’s guidance for updating the Webp app is predictably consumer-oriented. “The Microsoft Store will automatically update affected customers. Alternatively, customers can get the update immediately; see here for details.” I wanted to find a way to update systems to version 1.0.62681.0 programatically and immediately.
My first stop was to open Terminal and query winget, the Windows package manager. I’m excited about the potential that this utility offers, please keep investing in it, Microsoft!
Checking the version of Microsoft.WebpImageExtension with winget list, I confirmed that the currently installed version was vulnerable and needed updating.
PS C:\WINDOWS\system32> winget list Microsoft.WebpImageExtension
Failed when searching source; results will not be included: winget
Name Id Version
----------------------------------------------------------------------------
Webp Image Extensions Microsoft.WebpImageExtension_8wekyb3d8bbwe 1.0.62011.0I then searched the MSStore source for “Webp Image Extensions” with winget search, using the name that winget list returned, to find the ID of the package.
PS C:\WINDOWS\system32> winget search "Webp Image Extensions" --source=msstore
Name Id Version
------------------------------------------
Webp Image Extensions 9PG2DK419DRG UnknownNote that the version for this Microsoft Store app is “Unknown” by winget. This is important, because while the Windows Store knows about the versions of apps, currently that information is not surfaced to winget. This prevents winget from determining whether an upgrade is available, as I would soon discover. Hopefully, this will improve in time.
The Get-AppxPackage PowerShell cmdlet can provide a good deal more information than winget, and it along with Remove-AppxPackage are useful for managing installed Appx packages. But in this case, winget turned out to be the solution to my problem.
PS C:\WINDOWS\system32> Get-AppxPackage -Name Microsoft.WebpImageExtension
Name : Microsoft.WebpImageExtension
Publisher : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Architecture : X64
ResourceId :
Version : 1.0.62011.0
PackageFullName : Microsoft.WebpImageExtension_1.0.62011.0_x64__8wekyb3d8bbwe
InstallLocation : C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.62011.0_x64__8wekyb3d8bbwe
IsFramework : False
PackageFamilyName : Microsoft.WebpImageExtension_8wekyb3d8bbwe
PublisherId : 8wekyb3d8bbwe
IsResourcePackage : False
IsBundle : False
IsDevelopmentMode : False
NonRemovable : False
IsPartiallyStaged : False
SignatureKind : Store
Status : OkIt took me a few tries to figure out the correct switches, because winget couldn’t tell that the version in the store was newer than the installed version.
PS C:\WINDOWS\system32> winget install --silent --id=9PG2DK419DRG --source=msstore --accept-package-agreements
Found an existing package already installed. Trying to upgrade the installed package...
No available upgrade found.
No newer package versions are available from the configured sources.
I was surprised to find that winget upgrade didn’t by default attempt to upgrade the package.
PS C:\WINDOWS\system32> winget upgrade --silent --id=9PG2DK419DRG --source=msstore --uninstall-previous --accept-package-agreements
No available upgrade found.
No newer package versions are available from the configured sources.Eventually, I was able to assemble the arguments into a command that did what I wanted.
The magic command line turned out to be winget install --silent --id=9PG2DK419DRG --source=msstore --uninstall-previous --accept-package-agreements --force.
PS C:\WINDOWS\system32> winget install --silent --id=9PG2DK419DRG --source=msstore --uninstall-previous --accept-package-agreements --force
Found Webp Image Extensions [9PG2DK419DRG] Version Unknown
This package is provided through Microsoft Store. winget may need to acquire the package from Microsoft Store on behalf of the current user.
Agreements for Webp Image Extensions [9PG2DK419DRG] Version Unknown
Version: Unknown
Publisher: Microsoft Corporation
Publisher Url: http://www.microsoft.com/
Description: The WebP Image Extension will enable you to view WebP images in the Windows 10 Microsoft Edge browser. WebP is a modern image format that provides lossless and lossy compression for smaller, richer images on the web.
License: https://go.microsoft.com/fwlink/?LinkId=529064
Privacy Url: http://go.microsoft.com/fwlink/?LinkID=521839
Copyright: © 2018 Microsoft
Agreements:
Category: System Components
Pricing: Free
Free Trial: No
Terms of Transaction: https://aka.ms/microsoft-store-terms-of-transaction
Seizure Warning: https://aka.ms/microsoft-store-seizure-warning
Store License Terms: https://aka.ms/microsoft-store-license
Starting package install...
██████████████████████████████ 100%
Successfully installedInterestingly, post-update, winget list now shows the source is “msstore”.
PS C:\WINDOWS\system32> winget list Microsoft.WebpImageExtension
Failed when searching source; results will not be included: winget
Name Id Version Source
-------------------------------------------------------
Webp Image Extensions 9PG2DK419DRG 1.0.62681.0 msstore