Microsoft has released an out of band update to correct two serious vulnerabilities in the Windows Codecs library, which, if exploited, could allow remote code execution.
The operating system uses the built-in Windows Codecs library to handle multimedia content such as photos and videos and handles how large multimedia files are compressed and decoded for playback within applications. The flaws are both concerned with how the Windows Codecs library handles objects in the memory.
Both flaws were identified by security researcher Abdul-Aziz Hariri, Vulnerability Analysis Manager at Trend Micro’s Zero Day Initiative. The two flaws, assigned CVE-2020-1425 & CVE-2020-1457, are only present in Windows 10 and Windows Server 2019 distributions. No other operating systems are affected.
CVE-2020-1425 is a critical vulnerability that could be exploited by an attacker through a malformed image opened inside an app that uses the Windows Codecs library. Exploitation could allow an attacker to execute malicious code and potentially take full control of a vulnerable device. CVE-2020-1457 is rated important and could be exploited to gain information that would allow a system to be further compromised and can be exploited in the same way as CVE-2020-1425.
The patches have been released through the Windows Store, not the Windows Update mechanism, so customers do not need to take any actions to correct the flaws. Microsoft has not detected any attempted exploitation of the flaws in the wild. There are no mitigations that can be applied to prevent exploitation. Users that do not want to wait for the updates to be pushed out can check for the updates and apply them through the Microsoft Store App.