Microsoft Windows Codec Library RCE Vulnerabilities (CVE-2020-1425, CVE-2020-1457)

Summary:

Microsoft released emergency fixes ahead of the July 2020 Patch Tuesday to address two critical Remote Code Execution (RCE) vulnerabilities.

Description:

According to advisories, Abdul-Aziz Hariri of Trend Micro’s Zero Day initiative observed and reported two RCE vulnerabilities, CVE-2020-1425 and CVE-2020-1457, to Microsoft. Both CVEs are related to Microsoft Windows Codecs Library and affect the Windows 10 and Windows Server operating systems.

A specially crafted image file would lead to the RCE. The vulnerabilities exist due to the way memory is handled by Microsoft Windows Codecs Library. Due to improper validation of user-supplied data, the HEIC files are not parsed accurately, resulting in the ability to read beyond the end of an allocated data structure.

In response, Microsoft has released emergency fixes ahead of the July 2020 Patch Tuesday. Microsoft states that neither of these CVEs have a public exploit or an active exploit observed.

No further information was available at the time of publishing this blog.

Affected Products:

  • Windows 10 version 1709
  • Windows 10 version 1803
  • Windows 10 version 1809
  • Windows 10 version 1903
  • Windows 10 version 1909
  • Windows 10 version 2004
  • Windows Server version 2004
  • Windows Server 2019
  • Windows Server version 1803
  • Windows Server version 1903
  • Windows Server version 1909

Remediation:

Automatic updates from the Microsoft Store will update the patch that includes these emergency fixes. You can also install the updates from the Microsoft Store app manually.

Detection:

Qualys customers can scan their network with QID 91652 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on these vulnerabilities.

References & Sources:

Leave a Reply

Your email address will not be published. Required fields are marked *