Microsoft releases emergency security update to fix two bugs in Windows codecs

Microsoft has published on Tuesday two out-of-band security updates to patch two vulnerabilities in the Microsoft Windows Codecs Library.

Tracked as CVE-2020-1425 & CVE-2020-1457, the two bugs only impact Windows 10 and Windows Server 2019 distributions.

In security advisories published today, Microsoft said the two security flaws can be exploited with the help of a specially crafted image file.

If the malformed images are opened inside apps that utilize the built-in Windows Codecs Library to handle multimedia content, then attackers would be allowed to run malicious code on a Windows computer and potentially take over the device.

The two bugs — described as two remote code execution (RCE) vulnerabilities — received patches earlier today.

The patches have been deployed to customer systems via an update to the Windows Codecs Library, delivered through the Windows Store app — not the Windows Update mechanism.

“Customers do not need to take any action to receive the update,” Microsoft said.

Redmond said the bugs were privately reported and they haven’t been used in the wild before today’s patches.

The OS maker said it learned of the bugs after a report from Trend Micro’s Zero Day Initiative, a program that intermediates communications between security researchers and larger companies. Microsoft credited Abdul-Aziz Hariri for first discovering these bugs, before passing them to the ZDI team.