Microsoft has released emergency fixes for two remote code execution (RCE) vulnerabilities affecting codecs in Windows 10 and Windows Server 2019, out of sync with its routine Patch Tuesday updates.
Assigned CVE-2020-1425 and CVE-2020-1457, both flaws are centred on the way that Microsoft Windows Codecs Library handles objects in memory, and have been given a CVSS score of 7.3 each.
Successful exploitation would allow an attacker to use the two flaws to execute arbitrary code and obtain information to further compromise a user’s system.
The vulnerabilities affect customers using several iterations of Windows 10, including the latest May 2020 Update, as well as Windows Server 2019, according to security advisories published by Microsoft.
They can each be exploited using a specially crafted image file, which is designed to be opened inside apps that use the Windows Codec Library. If the image file is opened, attackers would be able to run malicious code on a user’s machine and eventually seize control of their device.
Microsoft insists that affected customers need not take any action, because the Windows Codecs Library will be automatically patched by the Microsoft Store, as opposed to the patches being released through Windows Update.
Customers who want to receive the update immediately can check for updates with the Microsoft Store app, with more information on this process available.
Microsoft normally reserves essential security fixes for its Patch Tuesday round of monthly updates, although the company does occasionally release out-of-band fixes when serious vulnerabilities are discovered and need immediate mitigation.
One of the company’s most recent Patch Tuesday saw fixes released for three zero-day flaws under active exploitation, as part of a wave of 113 patches. Two of these critical flaws lied in Adobe Type Manager Library, with Microsoft previously warning they were being exploited in “limited attacks”.
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
