Microsoft developers have published unscheduled security updates to fix two serious vulnerabilities in the Windows Codecs Library.
Vulnerabilities were discovered by Trend Micro Zero Day Initiative and received identifiers CVE-2020-1425 and CVE-2020-1457. They pose a threat only for Windows 10 (versions 1709, 1803, 1809, 1903, 1909 and 2004) and Windows Server 2019 (1709, 1903 and 2004).
According to the CVSSv3 vulnerability rating scale, both problems scored 7.3 points out of 10 possible, and Microsoft itself classifies one vulnerability as critical and the other as important.
The company says that these problems can be exploited using a specially created image file. If such a file is opened in an application that uses the Windows Codecs Library to process media content, the attacker will be able to collect data about the system, as well as run arbitrary code on the target machine and take control of the device. A.
Interestingly, patches for vulnerabilities in the codec library are distributed through the Windows Store, and not through Windows Update. However, to obtain patches, users do not need to take any action, everything will be done automatically.