CVE-2020-1425 and CVE-2020-1457 in Microsoft Windows Codecs Library

Two out-of-band security updates were just released by Microsoft, addressing remote code execution (RCE) security flaws in Microsoft Windows Codecs Library.

Several Windows 10 and Windows Server versions are affected by the vulnerabilities, which are known as CVE-2020-1425 and CVE-2020-1457. Both flawswere reported to Microsoft by vulnerabilities analysis manager Abdul-Aziz Hariri via Trend Micro’s Zero Day Initiative.

CVE-2020-1425 and CVE-2020-1457

One question that comes to mind is which of the two vulnerabilities is more dangerous. It turns out that it is CVE-2020-1425 which has been rated as critical. The second one has been rated as important. Despite the different security ratings, both flaws are triggered by the way Microsoft Windows Codecs Library handles objects in memory.

The critical CVE-2020-1425 vulnerability is described as a remote code execution vulnerability which exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system, Microsoft says in the official advisory. The vulnerability can be exploited under the condition of a program processing a specially crafted image file.

Microsoft has released a security update in the .NET core system which fixes the CVE-2020-1108 issue detected in the framework
CVE-2020-1108: New .NET Core Update Addresses Critical DoS Flaw

The CVE-2020-1457 vulnerability is also related to remote code execution, and it also exists in the way that Microsoft Windows Codecs Library handles objects in memory. The exploitation of the vulnerability is similar to the other flaw, as it also requires that a program process a specially crafted image file.

The updates that address the vulnerabilities correct the way Microsoft Windows Codecs Library handles objects in memory. As mentioned in the beginning, affected systems include Windows 10 versions 1709 or later desktop platforms, as well as Windows Server 2019 and a few Windows Server (Server Core installation) versions.

Note that there are no mitigations against the vulnerabilities, and fixes will be installed automatically. “Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” Microsoft says.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share