Microsoft releases urgent patch for high-risk Windows 10 flaws

Two vulnerabilities in the Windows Codecs Library affected customers using several iterations of Windows 10 and Windows Server

Microsoft has released emergency fixes for two remote code execution (RCE) vulnerabilities affecting codecs in Windows 10 and Windows Server 2019, out of sync with its routine Patch Tuesday updates.

Assigned CVE-2020-1425 and CVE-2020-1457, both flaws are centred on the way that Microsoft Windows Codecs Library handles objects in memory, and have been given a CVSS score of 7.3 each. 

Successful exploitation would allow an attacker to use the two flaws to execute arbitrary code and obtain information to further compromise a user’s system.

The vulnerabilities affect customers using several iterations of Windows 10, including the latest May 2020 Update, as well as Windows Server 2019, according to security advisories published by Microsoft.

They can each be exploited using a specially crafted image file, which is designed to be opened inside apps that use the Windows Codec Library. If the image file is opened, attackers would be able to run malicious code on a user’s machine and eventually seize control of their device. 

Microsoft insists that affected customers need not take any action, because the Windows Codecs Library will be automatically patched by the Microsoft Store, as opposed to the patches being released through Windows Update.

Customers who want to receive the update immediately can check for updates with the Microsoft Store app, with more information on this process available.

Microsoft normally reserves essential security fixes for its Patch Tuesday round of monthly updates, although the company does occasionally release out-of-band fixes when serious vulnerabilities are discovered and need immediate mitigation.

One of the company’s most recent Patch Tuesday saw fixes released for three zero-day flaws under active exploitation, as part of a wave of 113 patches. Two of these critical flaws lied in Adobe Type Manager Library, with Microsoft previously warning they were being exploited in “limited attacks”. 

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Square to acquire Afterpay for $29 billion
mergers and acquisitions

Square to acquire Afterpay for $29 billion

2 Aug 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021