Microsoft releases urgent updates for Windows 10 codecs

by Mark Tyson on 1 July 2020, 12:31

Tags: Microsoft (NASDAQ:MSFT), Windows 10

Quick Link: HEXUS.net/qaempl

Add to My Vault: x

Microsoft has released a pair of security updates to address remote code execution (RCE) vulnerabilities in Windows 10 1709 or later, and Windows Server 2019, distributions. More specifically the vulnerabilities exist in the Microsoft Windows Codecs Library and are documented by Microsoft as CVE-2020-1425 and CVE-2020-1457. Microsoft doesn't think that these vulnerabilities have been exploited by hackers as yet.

For both the above named vulnerabilities, Microsoft writes very similar descriptions, as reproduced below:

A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. (An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. CVE-2020-1425) (An attacker who successfully exploited the vulnerability could execute arbitrary code. CVE-2020-1457).
Exploitation of the vulnerability requires that a program process a specially crafted image file.
The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.

Microsoft has acted quickly, out of step with its regular update schedule, to stamp on these bugs as presenting a Windows 10 user with a 'specially crafted image file' when they are browsing the internet seems like a very large and draughty attack window.

Windows 10 users don't need to act to apply this update as Microsoft has chosen to deploy updates to the Windows Codecs Library through the Windows Store app, so they get applied automatically. However, some might want to prod the update process to get on with it by following this simple process: open the Microsoft Store app, then select the More > Downloads and updates > Get updates option.

Microsoft learned of these codec vulnerabilities thanks to being alerted by Abdul-Aziz Hariri, who passed the information on to Trend Micro's Zero Day Initiative (ZDI).



HEXUS Forums :: 7 Comments

Login with Forum Account

Don't have an account? Register today!
Microsoft has chosen to deploy updates to the Windows Codecs Library through the Windows Store app
The Store app that's not installed with Windows server if IRC.
I find it amusing and amazing how people can find zero days like this using an image file.
philehidiot
I find it amusing and amazing how people can find zero days like this using an image file.

That's is the very reason. People just think it's not possible and write insecure code, and then some clever so and so finds it.

Theoretically all data is just information in memory space so an image could contain data that represents CPU instructions and then if there is a vulnerability in the code that reads the image it could lead to a remote code execution. The expectation is of course loading an image file is not dangerous, where loading anything you don't have control over into RAM is potentially dangerous.
I've looked for this update but it's not showing on my domain controlled machine (In fact little from the store is showing as installed). I hope they are rolling it out as a generic patch too.
cheesemp
I've looked for this update but it's not showing on my domain controlled machine (In fact little from the store is showing as installed). I hope they are rolling it out as a generic patch too.

They are, you can get it by downloading this image file:

http://www.don'tclickmeyou…..