Microsoft has quietly pushed out two emergency security updates to fix remote code execution bugs in Microsoft Windows Codecs Library.
Windows Codecs Library handles how the OS compresses large multimedia files such as photos and videos, and then decodes them for playback within applications. The out-of-band updates, addressing a critical-severity flaw (CVE-2020-1425) and important-severity vulnerability (CVE-2020-1457), were sent out via Windows Update Tuesday night and affect several versions of Windows 10 and Windows Server 2019.
Both vulnerabilities allow for remote code execution “in the way that Microsoft Windows Codecs Library handles objects in memory,” according to the updates.
CVE-2020-1425, if exploited, could allow an attacker to execute arbitrary code, while CVE-2020-1457 can be exploited to allow a bad actor to obtain information that would further compromise the user’s system. Both flaws can be exploited if users of affected systems open corrupted media files within applications that use the native Windows Codecs Library.
Microsoft included a complete list of the Windows 10 and Windows Server distributions affected in its advisories, which offered little in terms of specific detail on the flaws. The company did say, however, that there are no mitigations or workarounds for the vulnerabities.
Affected customers need to take no action to receive the update, as they will be automatically updated by Microsoft Store, according to the company. Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App.