Microsoft has released a pair of security updates to address remote code execution (RCE) vulnerabilities in Windows 10 1709 or later, and Windows Server 2019, distributions. More specifically the vulnerabilities exist in the Microsoft Windows Codecs Library and are documented by Microsoft as CVE-2020-1425 and CVE-2020-1457. Microsoft doesn't think that these vulnerabilities have been exploited by hackers as yet.
For both the above named vulnerabilities, Microsoft writes very similar descriptions, as reproduced below:
A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. (An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. CVE-2020-1425) (An attacker who successfully exploited the vulnerability could execute arbitrary code. CVE-2020-1457).
Exploitation of the vulnerability requires that a program process a specially crafted image file.
The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.
Microsoft has acted quickly, out of step with its regular update schedule, to stamp on these bugs as presenting a Windows 10 user with a 'specially crafted image file' when they are browsing the internet seems like a very large and draughty attack window.
Windows 10 users don't need to act to apply this update as Microsoft has chosen to deploy updates to the Windows Codecs Library through the Windows Store app, so they get applied automatically. However, some might want to prod the update process to get on with it by following this simple process: open the Microsoft Store app, then select the More > Downloads and updates > Get updates option.
Microsoft learned of these codec vulnerabilities thanks to being alerted by Abdul-Aziz Hariri, who passed the information on to Trend Micro's Zero Day Initiative (ZDI).
