Microsoft yesterday pushed out a security update to fix two vulnerabilities in the Windows Codecs Library. The company has served these updates via the Microsoft Store to all supported versions of Windows 10 and Windows Server that have been affected.
The vulnerabilities, tracked under CVE-2020-1457 and CVE-2020-1425 are bugs that exist in the Codecs Library that handles objects in memory. When exploited, these flaws let an attacker “execute arbitrary code” or gain further information from the victim machine. Both the security vulnerabilities can be taken advantage of when a specially crafted image file is “processed” by the user’s device, which then allows for an attacker to gain control of the device and perform malicious actions.
Currently, there are no known workarounds or mitigations for these vulnerabilities. Thankfully, the Redmond adds that the flaws are not publicly disclosed and that there are no known exploits in the wild. The firm credits Trend Micro’s Zero Day Initiative for privately disclosing the bugs.
It must be noted that the fix for these known security threats have been deployed via an update to the codecs through the Microsoft Store, and not through Windows Update. The company says that customers do not need to take any specific action to receive the update.
Source: Microsoft (1)(2) via ZDNet