Microsoft has published on Tuesday two out-of-band security updates to patch two vulnerabilities in the Microsoft Windows Codecs Library.
The two bugs – tracked as CVE-2020-1425 and CVE-20201457 only impact Windows 10 and Windows Server 2019 distributions. Codecs take data of some sort – notably the raw data that represents the pixels in a video or the sound in an audio ﬁle – and reworks it so it can be sent and received easily. “A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. Exploitation of the vulnerability requires that a program process a specially crafted image ﬁle. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory,” Microsoft explained.
As described, if some malformed images are opened inside apps that utilize the built-in Windows Codecs Library to handle multimedia content, then attackers would be allowed to run malicious code on a Windows computer. The patches have been deployed to customer systems via an update to the Windows Codecs Library, delivered through the Windows Store app so not using the Windows Update mechanism. “Customers do not need to take any action to receive the update,” Microsoft said.