Bleeping Computer: Microsoft fixed urgently two Codec vulnerabilities, affecting the Library on several Windows 10 and Windows Server versions
Microsoft has released two urgent security updates to address Remote Code Execution (RCE) cyber security vulnerabilities affecting the Microsoft Windows Codecs Library on several Windows 10 and Windows Server versions. According Bleeping Computer, the flaws are the CVE-2020-1425 and the CVE-2020-1457: the first one is critical while the second received an important severity rating. Both desktop and server platforms affected, by a RCE issue, caused by the way that Codecs Library handles objects in memory. After successfully exploiting CVE-2020-1425, attackers “could obtain information to further compromise the user’s system,” while successful exploitation of CVE-2020-1457 could lead to arbitrary code execution on vulnerable systems. However, their exploitation requires a program to process a specially crafted image file.
The cyber security updates correct how Windows Codecs Library handles objects in memory. Up to date, there aren’t any alternative mitigating measures
According to Microsoft, the two cyber security updates address the vulnerabilities “by correcting how Windows Codecs Library handles objects in memory.” Affected systems include Windows 10 versions 1709 or later desktop platforms and Windows Server 2019 and several Windows Server (Server Core installation) versions for both security issues. The company, moreover, says that it has not identified any mitigating measures or workarounds for the two flaws. “Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” Microsoft explains, “Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here.” Both vulnerabilities were reported to Microsoft by vulnerability analysis manager Abdul-Aziz Hariri through Trend Micro’s Zero Day Initiative.