Critical Windows Codecs security issue affects Windows 10 and Server

Martin Brinkmann
Jul 1, 2020
Updated • Jul 3, 2020
Windows, Windows 10, Windows Updates
|
11

Microsoft published details about two recently discovered security issues in Windows Codec that affect Windows 10 client and server versions. The issues were found in the Microsoft Windows Codecs Library, more precisely in the way that the library "handles objects in memory".

Microsoft confirms the security issues and defines the vulnerabilities as a remote code execution vulnerability with a severity of critical and important.

All client versions of Windows 10 from Windows 10 version 1709 on, including 32-bit, 64-bit and ARM versions, and several Windows Server versions, including Windows Server 2019 and Windows Server version 2004 Core installation, are affected.

Update: Microsoft updated the descriptions of the vulnerabilities and added essential information to them. The company notes that default Windows 10 configurations are not affected, only those on which the optional HEVC codecs are installed. End

The issues are not exploited in the wild; an attacker could create a specially crafted image file and get it opened on a target system to exploit the vulnerability.

Workarounds and mitigations are not available, but Microsoft has created an update that needs to be installed on Windows 10 and Windows 10 Server devices to correct the issue and protect systems against potential exploits.

The update is pushed to devices through a Microsoft Store update. Microsoft notes that updates will land on devices automatically and that customers don't need to take any action in that regard.

microsoft store downloads updates

Administrators who don't want to wait for the update to arrive on systems may open the Microsoft Store application manually, select Menu > Downloads and updates, and there the "get updates" button to run a manual check for updates.

Here are the links to the two vulnerabilities on Microsoft's MSRC portal:

  • CVE-2020-1425 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability
  • CVE-2020-1457 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability

Lack of information is a problem

Microsoft does not reveal the name of the update that it created to address the security issue. A quick check on an up-to-date Windows 10 version 2004 Surface Go device returned updates for the apps HEIF Image Extensions and HEVC Video Extensions from Device Manufacturer. It is unclear if these are the updates that Microsoft is referring to or if the company has not yet released the security update to the general population.

I will keep an eye on the updates and update the article if a Windows Codecs Library related update becomes available.

Microsoft needs to provide additional information. It is unclear how administrators can check if the updates are installed on devices because of the lack of information. Information about the nature of the vulnerability, e.g. which image formats are affected, would also be useful.

Lastly, a Store update excludes systems from receiving the update if the Store application has been uninstalled or neutralized.

Now You: What is your take on this? (via Bleeping Computer)

Summary
Critical Windows Codecs security issue affects Windows 10 and Server
Article Name
Critical Windows Codecs security issue affects Windows 10 and Server
Description
Microsoft published details about two recently discovered security issues in Windows Codec that affect Windows 10 client and server versions.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. zat said on July 5, 2020 at 3:59 pm
    Reply

    I started seeing the following images in my shaw webmail account around the time this CVE was released… makes me wonder: https://postimg.cc/k2YTtqbV

    they change slightly each time on reload, colors from one to another. Initially before learning about this latest exploit, I intuitively thought, maybe bugged.

  2. Paul said on July 3, 2020 at 3:45 am
    Reply

    All the people who didn’t get suckered into Windows 10 are likely smiling every time they read one of these many articles showing serious problems with Windows 10.

    1. Gomer Gonorrhea said on July 4, 2020 at 10:05 am
      Reply

      Folks who don’t use Windows can imagine all they want with their dopey smiles, yet most Windows users rarely have any serious problems with the OS.

  3. chesscanoe said on July 2, 2020 at 2:02 pm
    Reply

    Updated 1.2 version at https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1425 makes me say “What, me worry?”
    ¯\_(ツ)_/¯

  4. soglmen said on July 2, 2020 at 12:59 pm
    Reply

    and if in the microsoft store get update not showing video extension, then the computer need wait and not use for short time for avoid security risk while connect to internet?

  5. d3x said on July 1, 2020 at 11:10 am
    Reply

    Microsoft Store is not available on Wndows Server, I wonder how they are gone update

    1. Bobby Phoenix said on July 1, 2020 at 8:03 pm
      Reply

      Not only that, but I know of many people who either disable, or completely remove, the Windows Store. How do they get patched?

      1. Doom said on July 2, 2020 at 12:05 am
        Reply

        It is strange that they have chosen to fix vulnerabilities through the store. You wouldn’t think that codecs are used by only store apps, but perhaps they are in this case? If that’s true, which they don’t make clear, then it’s not a problem if you never use the store and uninstall the included store apps. As usual not enough info to be sure either way.

      2. Sitty Tucker said on July 5, 2020 at 1:50 am
        Reply

        @Doom

        It’s not “strange” as you clearly don’t know why they did that. You can be curious, but that’s about it. That said, although our speculations are rather moot in this matter, I speculate that they provided this temporary help through the store as it provided the best and secure method right now for some users. This is not a huge threat, and I reckon they will roll out a proper solution to all users soon enough. As such, I’m not at all concerned with this news.

    2. Yuliya said on July 1, 2020 at 6:58 pm
      Reply

      Windows Update on 14th July. But neither LTSC nor Server 2019 support HEIC and HEVC natively. I don’t know about WMP as I have it disabled, but I doubt.
      These are still new and changing codecs, with very little market usage. A fully up to date SGS10 still produces JPEG and h264/MP4 files by default, with the HEIC/h265 being “experimental” features.

  6. Addy T. said on July 1, 2020 at 9:37 am
    Reply

    These image extensions are a total joke. The handling of images is unbelieveable clumsy (especially with AVIF), you can’t tag the files; the Photos app doesn’t allow them (Live Photo Gallery accepts third-party image codecs, even PSD, with no trouble). Leave it to Microsoft to invent WIC codecs and fail to properly handle them. Also, it’s a mystery why so many of the MS Store apps require you to sign in – To Do needs you to be online! Same with the Phone app etc.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.