In a security bulletin, Microsoft describes two flaws in Windows Codecs Library. The company points out both are remote code execution vulnerabilities. Unlike a spate of recent Windows problems, these flaws are not only related to Windows 10 May 2020 Update (version 2004). Microsoft says the vulnerabilities are affecting all Windows 10 versions from build 1709 and onwards. They also affect the Windows 10 Server 2019 and version 2004 Core. Below are the two vulnerabilities:

CVE-2020-1425 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability CVE-2020-1457 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability

“A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.”

Details

Microsoft says the flaws were disclosed privately. Both bugs can be exploited by a bad actor if they create a specially made image file and trick a victim into opening it on a target PC. There are no current workarounds available for either flaw. However, Microsoft has rolled out an update that plugs the security gap. That update was sent out today automatically to users. Microsoft says the update came from the Microsoft Store app for the Codecs Library so is not available through Windows Update. Either way, users don’t have to do anything because the updates will install on their own.

Microsoft Confirms Windows Codecs Library Zero Day Flaws - 33Microsoft Confirms Windows Codecs Library Zero Day Flaws - 11Microsoft Confirms Windows Codecs Library Zero Day Flaws - 37Microsoft Confirms Windows Codecs Library Zero Day Flaws - 48Microsoft Confirms Windows Codecs Library Zero Day Flaws - 62