[German]Microsoft has patched vulnerabilities CVE-2020-1425 and CVE-2020-1457 in the Windows Codecs Library in an emergency update on 30 June 2020. This affects Windows 10 and its Windows Server counterparts.
Advertising
Security information from Microsoft
I have received the information about the unscheduled security updates from Microsoft by mail. They wrote last night:
***********************************************************************
Title: Microsoft Security Update Releases
Issued: June 30, 2020
***********************************************************************
Summary
The following CVEs have undergone a major revision increment:
* CVE-2020-1425
* CVE-2020-1457
Revision Information:
=====================
* CVE-2020-1425
Advertising
– CVE-2020-1425 | Microsoft Windows Codecs Library Remote Code Execution
Vulnerability
– Version: 1.0
– Reason for Revision: Information published.
– Originally posted: June 30, 2020
– Updated: N/A
– Aggregate CVE Severity Rating: Critical
* CVE-2020-1457
– CVE-2020-1457 | Microsoft Windows Codecs Library Remote Code Execution
Vulnerability
– Version: 1.0
– Reason for Revision: Information published.
– Originally posted: June 30, 2020
– Updated: N/A
– Aggregate CVE Severity Rating: Important
Both CVEs are Remote Code Execution (RCE) vulnerabilities that were considered critical.
CVE-2020-1425-Windows Codecs Library RCE vulnerability
CVE-2020-1425 is a remote code execution (RCE) vulnerability in the Microsoft Windows Codecs Library. The RCE vulnerability is due to the way the Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system.
Exploiting the vulnerability requires a program to process a specially crafted image file. An available update fixes the vulnerability in the Microsoft Windows Codecs library. Updates are available from Windows 10 version 1709 to Windows Server 2019. For details see CVE-2020-1425.
CVE-2020-1457-Windows Codecs Library RCE vulnerability
CVE-2020-1457 is also a Remote Code Execution (RCE) vulnerability in the Microsoft Windows Codecs Library. The RCE vulnerability is due to the way the Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability by using a prepared image file could remotely execute foreign code. An available update resolves the vulnerability in the Microsoft Windows Codecs Library. Updates are available from Windows 10 version 1709 to Windows Server 2019. Details can be found at CVE-2020-1457.
Delivery via the store
Affected customers will be automatically updated by the Microsoft Store (not via Windows Update) with the necessary updates for the Windows Codecs Library. Users do not need to take any action to obtain the update. Alternatively, customers who want to receive the update immediately can use the Microsoft Store App to check for updates.
Martin Brinkmann from ghacks.net has published a screenshot here showing the update search in the store. The problem with the whole approach: There is no information which updates are needed. And it's also stupid, that the updates are shipped via store. Martin Brinkmann writes on ghacks.net that he found two entries, HEIF image extensions and HEVC video extensions. I found one of these entries during the update search in the store. So I don't know if it fits either.
