Microsoft has released fixes for two remote code execution (RCE) vulnerabilities in the Microsoft Windows Codecs Library on Windows 10 machines.
CVE-2020-1425 could allow attackers to obtain information to further compromise the user’s system, and CVE-2020-1457 would allow them to execute arbitrary code, all by tricking users into opening an image file.
“To successfully exploit this vulnerability, an attacker would need to deliver a specially crafted image file, like a JPG or TIFF or PNG, and convince the targeted victim to open the file. Data hidden within the image would then be processed by the image rendering program, executing arbitrary code on the endpoint. This code could be used to install a backdoor, allowing an attacker to modify user credentials, execute more code, or navigate laterally through the corporate network,” Richard Melick, Senior Technical Product Manager, Automox, explained.
The vulnerabilities were discovered by Abdul-Aziz Hariri of Trend Micro’s Zero Day Initiative and they are not being actively exploited in the wild.
What initially seemed like critical out-of-band patches for Windows 10 and Windows Server 2019 systems turned out to be slightly less urgent patches since the flaws affect only Windows 10 systems and only those users who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store, limiting thusly the pool of machines open to attack.
Affected customers also didn’t have to do anything to receive the update, as they were automatically updated by (the consumer) Microsoft Store. Enterprise customers using Store for Business received the update in the same manner.
Microsoft has noted, though, that users who have turned off automatic updating for Microsoft Store apps should check for them with the Microsoft Store App or risk going without them.