Microsoft Issues Out-of-Band Patches for RCE Flaws

Vulnerabilities had not been exploited or publicly disclosed before fixes were released, Microsoft reports.

Dark Reading Staff, Dark Reading

July 2, 2020

1 Min Read
Dark Reading logo in a gray background | Dark Reading

Microsoft has released two out-of-band security patches for remote code execution (RCE) laws in the Windows Codecs Library. The vulnerabilities affect both Windows 10 and Windows Server 2019.

Windows Codecs Library provides support for different photo and video file formats so software developers can support the media file formats their users expect. A critical flaw in the Codecs Library could affect several software programs at the same time, including browsers, document viewers, video editors, and image gallery tools, Sophos explains in a blog post.

CVE-2020-1425, categorized as critical, and CVE-2020-1457, categorized as important, both exist in the way the Windows Codecs Library handles objects in memory, Microsoft says in its advisory. Exploitation for both bugs requires a program to process a specially crafted image file.

If exploited, CVE-2020-1425 could allow an attacker to obtain information that would let them further compromise a system. CVE-2020-1457 could enable someone to execute arbitrary code. Neither vulnerability was publicly known or exploited prior to the patches released this week, and Microsoft has not disclosed why it didn't wait until Patch Tuesday to deploy these fixes.

The updates released today address these flaws by correcting how the Windows Codecs Library handles objects in memory. Customers affected will be automatically updated via the Microsoft Store and don't need to take any action, the company says.

Read more details about both flaws here.

_OMDIA_LOGO_Endorsement_Black.png

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights