Critical Windows Codecs security issue affects Windows 10 and Server
Microsoft published details about two recently discovered security issues in Windows Codec that affect Windows 10 client and server versions. The issues were found in the Microsoft Windows Codecs Library, more precisely in the way that the library "handles objects in memory".
Microsoft confirms the security issues and defines the vulnerabilities as a remote code execution vulnerability with a severity of critical and important.
All client versions of Windows 10 from Windows 10 version 1709 on, including 32-bit, 64-bit and ARM versions, and several Windows Server versions, including Windows Server 2019 and Windows Server version 2004 Core installation, are affected.
Update: Microsoft updated the descriptions of the vulnerabilities and added essential information to them. The company notes that default Windows 10 configurations are not affected, only those on which the optional HEVC codecs are installed. End
The issues are not exploited in the wild; an attacker could create a specially crafted image file and get it opened on a target system to exploit the vulnerability.
Workarounds and mitigations are not available, but Microsoft has created an update that needs to be installed on Windows 10 and Windows 10 Server devices to correct the issue and protect systems against potential exploits.
The update is pushed to devices through a Microsoft Store update. Microsoft notes that updates will land on devices automatically and that customers don't need to take any action in that regard.
Administrators who don't want to wait for the update to arrive on systems may open the Microsoft Store application manually, select Menu > Downloads and updates, and there the "get updates" button to run a manual check for updates.
Here are the links to the two vulnerabilities on Microsoft's MSRC portal:
- CVE-2020-1425 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability
- CVE-2020-1457 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability
Lack of information is a problem
Microsoft does not reveal the name of the update that it created to address the security issue. A quick check on an up-to-date Windows 10 version 2004 Surface Go device returned updates for the apps HEIF Image Extensions and HEVC Video Extensions from Device Manufacturer. It is unclear if these are the updates that Microsoft is referring to or if the company has not yet released the security update to the general population.
I will keep an eye on the updates and update the article if a Windows Codecs Library related update becomes available.
Microsoft needs to provide additional information. It is unclear how administrators can check if the updates are installed on devices because of the lack of information. Information about the nature of the vulnerability, e.g. which image formats are affected, would also be useful.
Lastly, a Store update excludes systems from receiving the update if the Store application has been uninstalled or neutralized.
Now You: What is your take on this? (via Bleeping Computer)Advertisement