The out-of-band update plugs two remote code
execution bugs in the Windows Codecs library, including one rated as critical
Microsoft, on Tuesday, released emergency security patches to plug a pair of serious vulnerabilities
in its Windows Codecs library that impact several Windows 10 and Windows Server
versions. Indexed as CVE-2020-1425 and CVE-2020-1457, the two remote-code execution (RCE) flaws are
rated as ‘critical’ and ‘important’ in
severity, respectively.
Both security loopholes
have to do with how Microsoft Windows Codecs Library handles objects in memory.
An attacker who can exploit CVE-2020-1425 “could obtain information to further
compromise the user’s system”, said Microsoft. Successful exploitation of the
second flaw, meanwhile, could enable attackers to execute arbitrary code on the
targeted machine. Each flaw was given the “exploitation less likely” rating
on Microsoft’s Exploitability Index.
Details are very sparse and
there’s no word on specific attack vectors, but Microsoft said that
exploitation of either vulnerability “requires that a program process a
specially crafted image file”. This could, for example, involve luring the
target into downloading and opening a malicious image file shared via email or
a compromised website.
The updates are being
deployed automatically via Microsoft Store, rather than through the far more
usual Windows Update process. “Affected customers will be automatically updated
by Microsoft Store. Customers do not need to take any action to receive the update,”
said Microsoft.
In order to check if the
updates have been implemented or to expedite the process, Microsoft
provides this guidance. The company is not aware of any mitigations or
workarounds for the two vulnerabilities.