Microsoft released two out-of-band security patches to address remote code execution vulnerabilities affecting Windows 10 Codecs Library, weeks ahead of the next Patch Tuesday when the company typically releases updates.
The software giant published advisories on Tuesday for the two bugs, which can be found in Windows Codecs on several Windows 10 and Windows Server versions. The first codecs vulnerability, disclosed as CVE-2020-1425, was rated critical. If an attacker successfully exploited the flaw, they “could obtain information to further compromise the user’s system,” Microsoft wrote in the advisory.
The second vulnerability, CVE-2020-1457, was rated important and could allow attackers to executive arbitrary code on vulnerable systems. “Exploitation of the vulnerability requires that a program process a specially crafted image file,” Microsoft wrote in both the advisories.
The vulnerabilities were reported to Microsoft in March by Abdul-Aziz Hariri, vulnerability analysis manager with Trend Micro’s Zero Day Initiative.
“The vulnerabilities exist within the parsing of HEIC (High Efficiency Image File Format) images. The vulnerabilities are out of bound writes. Exploitation should not be terribly hard. They do require a certain level of user-interaction (opening a file or visiting a website),” Hariri wrote in an email to SearchSecurity.
He also said the discoveries were part of an internal fuzzing project he conducted earlier this year, and that he was pleased with Microsoft’s prompt response to the reported flaws.
Microsoft said customers do not need to take any action to receive the update and that affected customers will be automatically updated.
Dig Deeper on Microsoft Patch Tuesday and patch management