Microsoft has released two out-of-band security updates to address remote code execution security vulnerabilities affecting the Microsoft Windows Codecs Library on several Windows 10 and Windows Server versions.
The two vulnerabilities are tracked as CVE-2020-1425 and CVE-2020-1457, the first one being rated as critical while the second received an important severity rating.
Both desktop and server platforms affected
In both cases, the remote code execution issue is caused by the way that Microsoft Windows Codecs Library handles objects in memory.
After successfully exploiting CVE-2020-1425, attackers “could obtain information to further compromise the user’s system,” while successful exploitation of CVE-2020-1457 could lead to arbitrary code execution on vulnerable systems.
Exploitation of these vulnerabilities requires a program to process a specially crafted image file.
According to Microsoft, the two out-of-band security updates address the vulnerabilities “by correcting how Microsoft Windows Codecs Library handles objects in memory.”
Affected systems include Windows 10 versions 1709 or later desktop platforms and Windows Server 2019 and several Windows Server (Server Core installation) versions for both security issues.
No mitigation available, updates will install automatically
Microsoft says that it has not identified any mitigating measures or workarounds for these two vulnerabilities.
“Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” Microsoft explains,
“Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here.”
Both vulnerabilities were reported to Microsoft by Abdul-Aziz Hariri, a vulnerability analysis manager at Trend Micro’s Zero Day Initiative.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.