Out-of-band updates for serious Windows Codecs Library vulnerabilities available via the Microsoft Store
Microsoft has released two off-schedule patches for serious vulnerabilities in the Windows Codecs Library affecting Windows 10 and Windows Server.
With the updates, which have been released through the Microsoft Store, the company is addressing the "critical" CVE-2020-1425 and the "serious" CVE-2020-1457. Both are Remote Code Execution vulnerabilities, and both have been addressed with little fanfare from Microsoft.
- The KB4559309 update for Windows 10 could be slowing down your computer
- Microsoft Edge caught importing data from other browsers without permission
- Get back deleted data with Microsoft's new Windows File Recovery tool
In a vulnerability notice about one of the issues, Microsoft says of CVE-2020-1425: "A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. Exploitation of the vulnerability requires that a program process a specially crafted image file".
Of the less serious CVE-2020-1457 vulnerability, Microsoft says:
A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code.
The good news is that while both of the vulnerabilities were serious, there is currently no evidence to suggest that either of them has been actively exploited.
Microsoft says that both patches address "the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory".