Microsoft Releases Urgent Windows Update to Patch Two Critical Flaws

Microsoft yesterday quietly released out-of-band software updates to patch two high-risk security vulnerabilities affecting hundreds of millions of Windows 10 and Server editions’ users.

To be noted, Microsoft rushed to deliver patches almost two weeks before the upcoming monthly ‘Patch Tuesday Updates’ scheduled for 14th July.

That’s likely because both flaws reside in the Windows Codecs Library, an easy attack vector to social engineer victims into running malicious media files downloaded from the Internet.

For those unaware, Codecs is a collection of support libraries that help the Windows operating system to play, compress and decompress various audio and video file extensions.

The two newly disclosed security vulnerabilities, assigned CVE-2020-1425 and CVE-2020-1457, are both remote code execution bugs that could allow an attacker to execute arbitrary code and control the compromised Windows computer.

According to Microsoft, both remote code execution vulnerabilities reside in the way Microsoft Windows codec library handles objects in memory.

However, exploiting both flaws requires an attacker to trick a user running an affected Windows system into clicking on a specially crafted image file designed to be opened with any app that uses the built-in Windows Codec Library.

Out of both, CVE-2020-1425 is more critical because the successful exploitation could allow an attacker even to harvest data to compromise the affected user’s system further.

The second vulnerability, tracked as CVE-2020-1457, has been rated as important and could allow an attacker to execute arbitrary code on an affected Windows system.

However, none of the security vulnerabilities has been reported as being publicly known or actively exploited in the wild by hackers at the time Microsoft released emergency patches.

According to advisories, both vulnerabilities were reported to Microsoft by Abdul-Aziz Hariri of Trend Micro’s Zero Day Initiative and affect the following operating systems:

  • Windows 10 version 1709
  • Windows 10 version 1803
  • Windows 10 version 1809
  • Windows 10 version 1903
  • Windows 10 version 1909
  • Windows 10 version 2004
  • Windows Server 2019
  • Windows Server version 1803
  • Windows Server version 1903
  • Windows Server version 1909
  • Windows Server version 2004

Since Microsoft is not aware of any workaround or mitigating factor for these vulnerabilities, Windows users are strongly recommended to deploy new patches before attackers start exploiting the issues and compromise their systems.

However, the company is rolling out the out-of-band security updates through the Microsoft Store, so the affected users will be automatically updated without requiring any further action.

Alternatively, if you want don’t want to wait for a few more hours or a day, you can immediately install patches by checking for new updates through the Microsoft Store.

Quote of the day

Logic is the foundation of science but not the foundation of life. Logic is applicable to dead things, to objects, because the basic method of logic is dissection. The moment you dissect something you kill it, so if you want to find life through logic you will never find it; the very method prohibits it.

You can cut a rose flower, you can dissect it, you can put all the ingredients separately into different bottles methodically labelled, but one thing will be missing: there will be no beauty to be found and no life to be found, no joy to be found, no dance of the rose flower in the wind, in the rain, in the sun; they will all be gone. There will be a few chemicals, but those chemicals are not the rose flower, those chemicals were simply the situation in which the rose has appeared. They don’t constitute the rose, they only constituted the situation for the appearance of the rose. If you take them away, the rose disappears into its invisible world.

Rajneesh