Microsoft has released two out-of-band security updates to address remote code execution security vulnerabilities affecting the Microsoft Windows Codecs Library on Windows 10, version 1709 or later.
The two vulnerabilities are tracked as CVE-2020-1425 and CVE-2020-1457, the first one being rated as critical while the second received an important severity rating.
The security updates addressing these security issues will be installed automatically on all vulnerable systems unless automatic updating for Microsoft Store apps is disabled.
Both desktop and server platforms affected
In both cases, the remote code execution issue is caused by the way that Microsoft Windows Codecs Library handles objects in memory. Exploitation of these vulnerabilities requires a program to process a specially crafted image file.
"Only customers who have installed the optional HEVC or 'HEVC from Device Manufacturer' media codecs from Microsoft Store may be vulnerable," according to Microsoft.
After successfully exploiting CVE-2020-1425, attackers "could obtain information to further compromise the user’s system," while successful exploitation of CVE-2020-1457 could lead to arbitrary code execution on vulnerable systems.
According to Microsoft, the two out-of-band security updates address the vulnerabilities "by correcting how Microsoft Windows Codecs Library handles objects in memory."
Both security issues impact 32-bit, x64-based, and ARM64-based devices running the following Windows 10 versions:
• Windows 10, version 1709
• Windows 10, version 1803
• Windows 10, version 1809
• Windows 10, version 1903
• Windows 10, version 1909
• Windows 10, version 2004
No mitigation available, updates will install automatically
Microsoft says that it has not identified any mitigating measures or workarounds for these two vulnerabilities.
"Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update," Microsoft explains,
"Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here."
Both vulnerabilities were reported to Microsoft by vulnerability analysis manager Abdul-Aziz Hariri through Trend Micro's Zero Day Initiative.
Update July 02, 13:24 EDT: Removed Windows Server from the list of affected systems and included HEVC info.
Comments
ticomoose - 4 years ago
What about companies that have the Windows Store disabled through Group Policy? So far I have not been able to find any indication of how we can get this update on our machines?
TanyaC - 4 years ago
+1. We don't have store either
ticomoose - 4 years ago
So far, only clarification seems to be that these updates are for apps available through the store, so if you don't have the apps, you don't need the updates. That would seem to support the HEVC Codec theory. It is not installed by default, so if we have the store disabled and have not installed the codec, we may not need the update. But it would be nice if Microsoft would officially comment and clarify for those of us in this situation.
https://social.technet.microsoft.com/Forums/en-US/9604e252-bcfa-4230-9bcf-e1b5515f72c7/the-new-updates-today-cve20201425-and-cve20201457-say-they-will-update-through-windows-store?forum=win10itprosecurity
ticomoose - 4 years ago
This was not there yesterday: On the official post from Microsoft, it says, "FAQ:
Is Windows vulnerable in the default configuration?
No. Only customers who have installed the optional HEVC or "HEVC from Device Manufacturer" media codecs from Microsoft Store may be vulnerable."
So if you don't have the Store and haven't downloaded the HVEC from it, you don't need to worry about this.