Microsoft issues emergency update to fix two vulnerability impacting Windows 10 and Windows Server

The bugs exist in in the way that Microsoft Windows Codecs Library handles objects in memory

Microsoft has released emergency security updates to fix two security bugs that could allow hackers to remotely execute arbitrary code on vulnerable systems running Windows 10 and Windows Server 2019.

According to Microsoft, the two bugs, indexed as CVE-2020-1425 and CVE-2020-1457, exist in the Windows Codecs library that is used to handle compression of large multimedia files (photos/videos) by the OS and decoding of those files within applications for playback.

Both RCE flaws exist in the way that Microsoft Windows Codecs Library handles objects in memory. If successfully exploited, the flaws could obtain information to further compromise the targeted system.

To exploit the bug, an attacker would require a user to open a specially crafted image file within applications that use the Windows Codecs Library. To achieve that, hackers can lure a target into downloading and opening a malicious image file that is delivered through either email or a compromised website.

The security updates released by Microsoft address the bugs by correcting how Microsoft Windows Codecs Library handles objects in memory.

CVE-2020-1425 and CVE-2020-1457 were rated as "critical" and "important," respectively by Microsoft.

Users don't need to take any action to receive the updates as patches will be automatically deployed on affected systems through Microsoft Store, the company said. Those who want to update their systems immediately can check for updates with the Microsoft Store App.

The company also said that there are no workarounds or mitigations for these vulnerabilities.

The vulnerabilities were privately reported to the company, and there is no evidence to suggest that they have been used in the wild by attackers, Microsoft added.

Microsoft credited Abdul-Aziz Hariri, a security researcher at Trend Micro, for discovering the two bugs and sharing the details with Microsoft.

The two out of band security updates from Microsoft come just weeks after the company's largest-ever Patch Tuesday update in June, which addressed a total of 129 security vulnerabilities across a suite of products/platforms.

Earlier in March, the company had fixed 115 bugs, making it the second-largest update so far by the software giant.

The third-largest update was released in April 2020, which fixed 113 bugs.