The patches fix two separate RCE bugs in Windows Codecs that allow hackers to exploit playback of multimedia files.
Microsoft has quietly pushed out two emergency security updates to fix remote code execution bugs in Microsoft Windows Codecs Library.
Windows Codecs Library handles how the OS compresses large multimedia files such as photos and videos, and then decodes them for playback within applications. The out-of-band updates, addressing a critical-severity flaw (CVE-2020-1425) and important-severity vulnerability (CVE-2020-1457), were sent out via Windows Update Tuesday night and affect several versions of
Windows 10 and Windows Server 2019.
Both vulnerabilities allow for remote code execution “in the way that Microsoft Windows Codecs Library handles objects in memory,” according to the updates.
CVE-2020-1425, if exploited, could allow an attacker to execute arbitrary code, while CVE-2020-1457 can be exploited to allow a bad actor to obtain information that would further compromise the user’s system. Both flaws can be exploited if users of affected systems open corrupted media files within applications that use the native Windows Codecs Library.
Microsoft included a complete list of the Windows 10 and Windows Server distributions affected in its advisories, which offered little in terms of specific detail on the flaws. The company did say, however, that there are no mitigations or workarounds for the vulnerabities.
Affected customers need to take no action to receive the update, as they will be automatically updated by Microsoft Store, according to the company. Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App.
Microsoft credited security researcher Abdul-Aziz Hariri for identifying the flaws and reporting them to Trend Micro’s Zero Day Initiative (ZDI), according to a published report in ZDNet.
It’s not completely uncommon for Microsoft to release updates outside of the second Tuesday of every month, also known as “Patch Tuesday.” However, typically the company does so in response to vulnerabilities uncovered by third-party security researchers—including from rivals such as Google — that are found to be under attack. Microsoft said it has not detected either Windows Codecs Library flaw being exploited in the wild.
These patches come weeks after Microsoft’s regularly scheduled June Patch Tuesday, where it released patches for 129 vulnerabilities – the highest number of CVEs ever released by Microsoft in a single month. Within the blockbuster security update, 11 critical remote code-execution flaws were patched in Windows, SharePoint server, Windows Shell, VBScript and other products. Unlike other recent monthly updates from Microsoft, its June updates did not include any zero-day vulnerabilities being actively attacked in the wild.
Via threatpost.com