Microsoft has released emergency security updates to fix two security bugs that could allow hackers to remotely execute arbitrary code on vulnerable systems running Windows 10 and Windows Server 2019.
According to Microsoft, the two bugs, indexed as CVE-2020-1425 and CVE-2020-1457, exist in the Windows Codecs library that is used to handle compression of large multimedia files (photos/videos) by the OS and decoding of those files within applications for playback.
Both RCE flaws exist in the way that Microsoft Windows Codecs Library handles objects in memory. If successfully exploited, the flaws could obtain information to further compromise the targeted system.
To exploit the bug, an attacker would require a user to open a specially crafted image file within applications that use the Windows Codecs Library. To achieve that, hackers can lure a target into downloading and opening a malicious image file that is delivered through either email or a compromised website.
The security updates released by Microsoft address the bugs by correcting how Microsoft Windows Codecs Library handles objects in memory.
Users don't need to take any action to receive the updates as patches will be automatically deployed on affected systems through Microsoft Store, the company said. Those who want to update their systems immediately can check for updates with the Microsoft Store App.
The company also said that there are no workarounds or mitigations for these vulnerabilities.
The vulnerabilities were privately reported to the company, and there is no evidence to suggest that they have been used in the wild by attackers, Microsoft added.
Microsoft credited Abdul-Aziz Hariri, a security researcher at Trend Micro, for discovering the two bugs and sharing the details with Microsoft.
The two out of band security updates from Microsoft come just weeks after the company's largest-ever Patch Tuesday update in June, which addressed a total of 129 security vulnerabilities across a suite of products/platforms.
Earlier in March, the company had fixed 115 bugs, making it the second-largest update so far by the software giant.
The third-largest update was released in April 2020, which fixed 113 bugs.
Arrests were also made in other European countries, including France and the Netherlands
Security is always one of CIOs' top headaches, and the global pandemic hasn't improved matters. So what do organisations need to do in order to better protect themselves during the COVID-19 crisis?
Huawei may be a risk but the West should compete with Chinese firms rather than banning, says ex-Google CEO Eric Schmidt
'The Chinese are just as good, and maybe better, in key areas of research and innovation' Schmidt says
CIA discovered the breach only after classified information was published by WikiLeaks
Home working shouldn't prioritise productivity at the expense of security, but in some cases this is exactly what's happening