Microsoft has released two emergency out-of-band Windows Codecs Library patches for multiple Windows 10 and Windows Server versions. The release comes nearly two weeks before the next ‘Patch Tuesday’ updates scheduled for July 14.
An attacker could exploit each of the Windows Codecs Library vulnerabilities, CVE-2020-1425 and CVE-2020-1457, to execute arbitrary code and compromise systems.
“A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code,” Microsoft warned in the advisories.
Microsoft further added that exploitation would also require a program to process a specially crafted image file.
Windows Codecs Library is a collection of objects used to compress and decompress digital media data. Attackers have been known to exploit Codecs vulnerabilities as part of phishing campaigns designed to trick their victims into running malicious media files from the internet.
Microsoft confirmed multiple Windows products are affected to include:
- Windows 10 (multiple versions 1709-2004)
- Windows Server 2019 and Server 2019 (Server Core Installation)
- Windows Server (multiple versions of Server Core Installation).
Readers may remember that Microsoft also released another out-of-band patch on June 17 to fix a Windows 10 spatial data service vulnerability CVE-2020-1441. An attacker could exploit that vulnerability to overwrite or modify a protected file leading to privilege escalation.
Given the recent out-of-band updates, these patches should be prioritized ahead of the next patch cycle.