Microsoft releases an emergency update to fix two serious Windows vulnerabilities.
Microsoft released emergency security patches on Tuesday to plug a pair of serious vulnerabilities in its Windows Codecs library that affect several versions of Windows 10 and Windows Server. Indexed as CVE-2020-1425 and CVE-2020-1457, the two remote code execution (RCE) flaws are rated as 'critical' and 'important' in severity, respectively.
Both security vulnerabilities have to do with how Microsoft Windows Codecs Library handles memory objects.
An attacker who can use CVE-2020-1425 "could obtain information to further compromise the system of the user," said Microsoft. Successful exploitation of the second flaw, meanwhile, could allow attackers to execute arbitrary code on the targeted machine. Each flaw was given the "less likely exploitation" rating on the Microsoft Exploitability Index.
RELATIVE READING: vulnerabilities, exploits and patches
There's no word about specific attack vectors to abuse these flaws, but Microsoft said that exploiting either vulnerability "requires a program to process a specially crafted image file." This could involve , for example, luring the target to download and open the file.
Updates are being deployed automatically via the Microsoft Store instead of the Windows Update process. "Affected customers will be updated automatically by the Microsoft Store. Customers do not need to take any action to get an update, "said Microsoft.
In order to check if the updates have been implemented or to expedite the process, Microsoft provides this guidance. The company is not aware of any mitigations or workarounds for the two vulnerabilities.