Two out-of-band security updates were just released by Microsoft, addressing remote code execution (RCE) security flaws in Microsoft Windows Codecs Library.
Several Windows 10 and Windows Server versions are affected by the vulnerabilities, which are known as CVE-2020-1425 and CVE-2020-1457. Both flawswere reported to Microsoft by vulnerabilities analysis manager Abdul-Aziz Hariri via Trend Micro’s Zero Day Initiative.
CVE-2020-1425 and CVE-2020-1457
One question that comes to mind is which of the two vulnerabilities is more dangerous. It turns out that it is CVE-2020-1425 which has been rated as critical. The second one has been rated as important. Despite the different security ratings, both flaws are triggered by the way Microsoft Windows Codecs Library handles objects in memory.
The critical CVE-2020-1425 vulnerability is described as a remote code execution vulnerability which exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system, Microsoft says in the official advisory. The vulnerability can be exploited under the condition of a program processing a specially crafted image file.
The CVE-2020-1457 vulnerability is also related to remote code execution, and it also exists in the way that Microsoft Windows Codecs Library handles objects in memory. The exploitation of the vulnerability is similar to the other flaw, as it also requires that a program process a specially crafted image file.
The updates that address the vulnerabilities correct the way Microsoft Windows Codecs Library handles objects in memory. As mentioned in the beginning, affected systems include Windows 10 versions 1709 or later desktop platforms, as well as Windows Server 2019 and a few Windows Server (Server Core installation) versions.
Note that there are no mitigations against the vulnerabilities, and fixes will be installed automatically. “Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” Microsoft says.