Microsoft have issued urgent, out-of-band patches for two vulnerabilities found in the Windows Codecs Libraries.
The vulnerabilities, discovered by Abdul-Aziz Hariri of Trend Micro’s Zero Day Initiative, are CVE-2020-1425 and CVE-2020-1457. Both represent issues in the way in which the Windows Codecs Library handles certain objects in memory and exploiting these vulnerabilities can allow an attacker to obtain remote code execution by using a specially crafted image file. Microsoft’s own assessment is that neither of these vulnerabilities are being actively exploited, and they determine that exploitation is “less likely”. No exploit has yet been released publicly.
Default configurations of Windows are not vulnerable, only those with the “HEVC from Device Manufacturer” media codecs installed can be exploited. As this is an optional package available through the Microsoft Store, users will not receive the patches through Windows Updates. However, the patches are available now in the Microsoft Store.
If users are unsure whether they have these packages installed, they should open the Microsoft Store and navigate to “My Library” from the side menu. From here, users can view installed apps and should look for versions lower than 1.0.31822.0 and 1.0.31823.0, which are the patched versions.
The following products are vulnerable to CVE-2020-1425 and CVE-2020-1457:
- Windows 10, versions 1707, 1803, 1809, 1903, 1909 and 2004 for 32-bit, x64-based, and ARM64-based systems
Again, systems are only vulnerable if they have the “HEVC from Device Manufacturer” media codecs installed.
Users should configure their settings in the Microsoft Store to automatically apply updates for installed software packages. Updates to these packages are not released as part of the normal Windows Updates cycle, so critical patches such as these could be missed.
In addition to ensuring that affected systems are updated as soon as possible, users should ensure that antivirus solutions are updated and should monitor for indicators of compromise. Users may benefit from checking to see if their preferred software packages are released on the Microsoft Store and should reinstall from there to ensure automatic updates are applied, if such a facility is not already provided by the software developers.
Administrators should ensure patching policies include the Microsoft Store as a source of updates, if their users are permitted access to the facility.