Microsoft recently released patches for two serious security vulnerabilities in the Windows 10 codecs library. These fixes are part of unscheduled updates and are mandatory. They address two security flaws with RCE (Remote Code Execution) capabilities. The flaws affect both the Windows 10 client and server versions.
If you are running Windows 10 OS, then you should update and patch the OS to be on a safer side. Two out-of-band security updates to patch two vulnerabilities in the Microsoft Windows Codecs Library have been released. Tracked as CVE-2020-1425 & CVE-2020-1457, the two bugs only impact Windows 10 and Windows Server 2019 distributions.
In security advisories published recently, Microsoft said the two security flaws can be exploited with the help of a specially crafted image file. The security loopholes were found in the way that the library ‘handles objects in memory’. Listed as Critical and Important, the security vulnerabilities could potentially allow remote attackers to take complete control over the victim computer. These security flaws resided inside the two most common image codecs HEIF and HEVC. The company defined the vulnerabilities as a remote code execution with the severity of critical and important.
If the malformed images are opened inside apps that utilize the built-in Windows Codecs Library to handle multimedia content, then attackers would be allowed to run malicious code on a Windows computer and potentially take over the device. For those unaware, Codecs is a collection of support libraries that help the Windows operating system to play, compress and decompress various audio and video file extensions.
According to Microsoft, both remote code execution vulnerabilities reside in the way Microsoft Windows codec library handles objects in memory. However, exploiting both flaws requires an attacker to trick a user running an affected Windows system into clicking on a specially crafted image file designed to be opened with any app that uses the built-in Windows Codec Library.
Out of both, CVE-2020-1425 is more critical because the successful exploitation could allow an attacker even to harvest data to compromise the affected user’s system further. The second vulnerability, tracked as CVE-2020-1457, has been rated as important and could allow an attacker to execute arbitrary code on an affected Windows system. Affected customers need to take no action to receive the update, as they will be automatically updated by Microsoft Store, according to the company. Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App.
Microsoft credited security researcher Abdul-Aziz Hariri for identifying the flaws and reporting them to Trend Micro’s Zero Day Initiative (ZDI). The following operating systems are affected:
- Windows 10 version 1709
- Windows 10 version 1803
- Windows 10 version 1809
- Windows 10 version 1903
- Windows 10 version 1909
- Windows 10 version 2004
- Windows Server 2019
- Windows Server version 1803
- Windows Server version 1903
- Windows Server version 1909
- Windows Server version 2004
Since Microsoft is not aware of any workaround or mitigating factor for these vulnerabilities, Windows users are strongly recommended to deploy new patches before attackers start exploiting the issues and compromise their systems.
However, the company is rolling out the out-of-band security updates through the Microsoft Store, so the affected users will be automatically updated without requiring any further action. Alternatively, you can immediately install patches by checking for new updates through the Microsoft Store, if you don’t want to wait.
It’s not completely uncommon for Microsoft to release updates outside of the second Tuesday of every month, also known as “Patch Tuesday.” However, typically the company does so in response to vulnerabilities uncovered by third-party security researchers, including from rivals such as Google, that are found to be under attack. Microsoft said it has not detected either Windows Codecs Library flaw being exploited in the wild.
These patches come weeks after Microsoft’s regularly scheduled June Patch Tuesday, where it released patches for 129 vulnerabilities – the highest number of CVEs ever released by Microsoft in a single month. Within the blockbuster security update, 11 critical remote code-execution flaws were patched in Windows, SharePoint server, Windows Shell, VBScript and other products. Unlike other recent monthly updates from Microsoft, its June updates did not include any zero-day vulnerabilities being actively attacked in the wild.