Microsoft has released patches for two serious security vulnerabilities in the Windows 10 codecs library. These fixes are part of unscheduled updates and are mandatory. They address two security flaws with RCE (Remote Code Execution) capabilities. The flaws affect both the Windows 10 client and server versions.
Microsoft published details about two recently discovered security issues in the Windows Codec library. The security loopholes were found in the way that the library “handles objects in memory”. Listed as Critical and Important, the security vulnerabilities could potentially allow remote attackers to take complete control over the victim computer.
Microsoft Quietly Fixes Two Security Vulnerabilities Tagged ‘Critical’ And ‘Important’ With RCE Potential:
Microsoft confirmed the security issues were tagged and tracked as “CVE-2020-1425” and “CVE-2020-1457“. These security flaws resided inside the two most common image codecs “HEIF” and “HEVC”. The company defined the vulnerabilities as a remote code execution vulnerability with the severity of Critical and Important.
Microsoft releases urgent updates for Windows 10, A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-1425) (CVE-2020-1457).
— Sergio Silva (@CisoSersilva) July 1, 2020
The unsafe versions were included in the Windows 10 Operating System since Windows 10 Version 1709 and could also be found in some Windows Server versions. Additionally, the flaws were existent in all the versions of Windows 10 released after v1709, including the 32-bit, 64-bit, and ARM versions. In the case of Windows 10 Server, the versions affected were Windows Server 2019 and Windows Server version 2004 Core installation.
Microsoft assures that neither of the security flaws was exploited in the wild. In other words, the company claims to have addressed and patched the vulnerabilities before any malicious agency was able to take advantage of the security flaws. Incidentally, these security loopholes were reportedly simple to exploit. An attacker simply needed to create a specially crafted image file and get it opened on a target system to exploit the vulnerability.
No Safety Protections Against The Security Flaws In Windows Codec Library But Mandatory Updates On The Way:
There were no workarounds or mitigations to the security risks. However, they weren’t needed as Microsoft has created an update that needs to be installed on Windows 10 and Windows 10 Server devices to correct the issue and protect systems against future potential exploits.
— Threatpost (@threatpost) July 1, 2020
Microsoft has pushed an out of the routine or unscheduled update to address the security flaws. The update is pushed to devices through a Microsoft Store update. The company notes that updates will arrive on Windows 10 devices automatically and the OS users don’t need to take any action in that regard. Administrators may open the Microsoft Store application manually, select Menu > Downloads and updates, and click the “get updates” button to run a manual check for updates. This should speed track the installation of the patches.