In light of CVE-2023-4863, I started looking into updating the Microsoft.WebpImageExtension app on Windows 10/Windows 11 via a command line. In the process, I discovered a few things about winget and PowerShell commands for Appx and thought I’d share them here.
The vulnerability I’m concerned with is documented at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863 and https://nvd.nist.gov/vuln/detail/CVE-2023-4863. Specifically, I’m concerned with updating the Microsoft.WebpImageExtension app, because while the Microsoft Store is supposed to keep things up-to-date, and maybe eventually it gets around to doing that, it doesn’t do so quickly enough to satisfy me.
Microsoft’s guidance for updating the Webp app is predictably consumer-oriented. “The Microsoft Store will automatically update affected customers. Alternatively, customers can get the update immediately; see here for details.” I wanted to find a way to update systems to version 1.0.62681.0 programatically and immediately.
My first stop was to open Terminal and query winget, the Windows package manager. I’m excited about the potential that this utility offers, please keep investing in it, Microsoft!
Checking the version of Microsoft.WebpImageExtension with winget list, I confirmed that the currently installed version was vulnerable and needed updating.
PS C:\WINDOWS\system32> winget list Microsoft.WebpImageExtension Failed when searching source; results will not be included: winget Name Id Version ---------------------------------------------------------------------------- Webp Image Extensions Microsoft.WebpImageExtension_8wekyb3d8bbwe 1.0.62011.0
I then searched the MSStore source for “Webp Image Extensions” with winget search, using the name that winget list returned, to find the ID of the package.
PS C:\WINDOWS\system32> winget search "Webp Image Extensions" --source=msstore Name Id Version ------------------------------------------ Webp Image Extensions 9PG2DK419DRG Unknown
Note that the version for this Microsoft Store app is “Unknown” by winget. This is important, because while the Windows Store knows about the versions of apps, currently that information is not surfaced to winget. This prevents winget from determining whether an upgrade is available, as I would soon discover. Hopefully, this will improve in time.
The Get-AppxPackage PowerShell cmdlet can provide a good deal more information than winget, and it along with Remove-AppxPackage are useful for managing installed Appx packages. But in this case, winget turned out to be the solution to my problem.
PS C:\WINDOWS\system32> Get-AppxPackage -Name Microsoft.WebpImageExtension Name : Microsoft.WebpImageExtension Publisher : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US Architecture : X64 ResourceId : Version : 1.0.62011.0 PackageFullName : Microsoft.WebpImageExtension_1.0.62011.0_x64__8wekyb3d8bbwe InstallLocation : C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.62011.0_x64__8wekyb3d8bbwe IsFramework : False PackageFamilyName : Microsoft.WebpImageExtension_8wekyb3d8bbwe PublisherId : 8wekyb3d8bbwe IsResourcePackage : False IsBundle : False IsDevelopmentMode : False NonRemovable : False IsPartiallyStaged : False SignatureKind : Store Status : Ok
It took me a few tries to figure out the correct switches, because winget couldn’t tell that the version in the store was newer than the installed version.
PS C:\WINDOWS\system32> winget install --silent --id=9PG2DK419DRG --source=msstore --accept-package-agreements Found an existing package already installed. Trying to upgrade the installed package... No available upgrade found. No newer package versions are available from the configured sources.
I was surprised to find that winget upgrade didn’t by default attempt to upgrade the package.
PS C:\WINDOWS\system32> winget upgrade --silent --id=9PG2DK419DRG --source=msstore --uninstall-previous --accept-package-agreements No available upgrade found. No newer package versions are available from the configured sources.
Eventually, I was able to assemble the arguments into a command that did what I wanted.
The magic command line turned out to be
winget install --silent --id=9PG2DK419DRG --source=msstore --uninstall-previous --accept-package-agreements --force.
PS C:\WINDOWS\system32> winget install --silent --id=9PG2DK419DRG --source=msstore --uninstall-previous --accept-package-agreements --force Found Webp Image Extensions [9PG2DK419DRG] Version Unknown This package is provided through Microsoft Store. winget may need to acquire the package from Microsoft Store on behalf of the current user. Agreements for Webp Image Extensions [9PG2DK419DRG] Version Unknown Version: Unknown Publisher: Microsoft Corporation Publisher Url: http://www.microsoft.com/ Description: The WebP Image Extension will enable you to view WebP images in the Windows 10 Microsoft Edge browser. WebP is a modern image format that provides lossless and lossy compression for smaller, richer images on the web. License: https://go.microsoft.com/fwlink/?LinkId=529064 Privacy Url: http://go.microsoft.com/fwlink/?LinkID=521839 Copyright: © 2018 Microsoft Agreements: Category: System Components Pricing: Free Free Trial: No Terms of Transaction: https://aka.ms/microsoft-store-terms-of-transaction Seizure Warning: https://aka.ms/microsoft-store-seizure-warning Store License Terms: https://aka.ms/microsoft-store-license Starting package install... ██████████████████████████████ 100% Successfully installed
Interestingly, post-update, winget list now shows the source is “msstore”.
PS C:\WINDOWS\system32> winget list Microsoft.WebpImageExtension Failed when searching source; results will not be included: winget Name Id Version Source ------------------------------------------------------- Webp Image Extensions 9PG2DK419DRG 1.0.62681.0 msstore