The out-of-band update plugs two remote code execution bugs in the Windows Codecs library, including one rated as critical
Microsoft on Tuesday released emergency security patches to plug a pair of serious vulnerabilities in its Windows Codecs library that impact several Windows 10 and Windows Server versions. Indexed as CVE-2020-1425 and CVE-2020-1457, the two remote-code execution (RCE) flaws are rated as ‘critical’ and ‘important’ in severity, respectively.
Both security loopholes have to do with how Microsoft Windows Codecs Library handles objects in memory. An attacker who can exploit CVE-2020-1425 “could obtain information to further compromise the user’s system”, said Microsoft. Successful exploitation of the second flaw, meanwhile, could enable attackers to execute arbitrary code on the targeted machine. Each flaw was given the “exploitation less likely” rating on Microsoft’s Exploitability Index.
Details are very sparse and there’s no word on specific attack vectors, but Microsoft said that exploitation of either vulnerability “requires that a program process a specially crafted image file”. This could, for example, involve luring the target into downloading and opening a malicious image file shared via email or a compromised website.
RELATED READING: Vulnerabilities, exploits and patches
The updates are being deployed automatically via Microsoft Store, rather than through the far more usual Windows Update process. “Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” said Microsoft.
In order to check if the updates have been implemented or to expedite the process, Microsoft provides this guidance. The company is not aware of any mitigations or workarounds for the two vulnerabilities.