Microsoft has released two out-of-band security patches for remote code execution (RCE) laws in the Windows Codecs Library. The vulnerabilities affect both Windows 10 and Windows Server 2019.
Windows Codecs Library provides support for different photo and video file formats so software developers can support the media file formats their users expect. A critical flaw in the Codecs Library could affect several software programs at the same time, including browsers, document viewers, video editors, and image gallery tools, Sophos explains in a blog post.
CVE-2020-1425, categorized as critical, and CVE-2020-1457, categorized as important, both exist in the way the Windows Codecs Library handles objects in memory, Microsoft says in its advisory. Exploitation for both bugs requires a program to process a specially crafted image file.
If exploited, CVE-2020-1425 could allow an attacker to obtain information that would let them further compromise a system. CVE-2020-1457 could enable someone to execute arbitrary code. Neither vulnerability was publicly known or exploited prior to the patches released this week, and Microsoft has not disclosed why it didn't wait until Patch Tuesday to deploy these fixes.
The updates released today address these flaws by correcting how the Windows Codecs Library handles objects in memory. Customers affected will be automatically updated via the Microsoft Store and don't need to take any action, the company says.
Read more details about both flaws here.
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.