Microsoft has released two out-of-band security updates to address remote code execution security vulnerabilities affecting the Microsoft Windows Codecs Library on several Windows 10 and Windows Server versions.
Tracked as CVE-2020-1425 & CVE-2020-1457, the two bugs only impact Windows 10 and Windows Server 2019 distributions.
In security advisories published today, Microsoft said the two security flaws can be exploited with the help of a specially crafted image file.
If the malformed images are opened inside apps that utilize the built-in Windows Codecs Library to handle multimedia content, then attackers would be allowed to run malicious code on a Windows computer and potentially take over the device.
The two bugs — described as two remote code execution (RCE) vulnerabilities — received patches earlier today.
The patches have been deployed to customer systems via an update to the Windows Codecs Library, delivered through the Windows Store app — not the Windows Update mechanism.
Affected systems include Windows 10 versions 1709 or later desktop platforms and Windows Server 2019 and several Windows Server (Server Core installation) versions for both security issues.
Microsoft says that it has not identified any mitigating measures or workarounds for these two vulnerabilities.
“Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” Microsoft explains,
“Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here.”
Both vulnerabilities were reported to Microsoft by Abdul-Aziz Hariri, a vulnerability analysis manager at Trend Micro’s Zero Day Initiative.
