Softpedia >News >Microsoft >Windows
Softpedia Homepage   

Microsoft Releases Emergency Windows 10 Updates to Resolve Security Flaws

Two updates are now available for all users

Jul 1, 2020 03:37 GMT  ·  By
The bugs exist in most recent Windows 10 versions
   The bugs exist in most recent Windows 10 versions

Microsoft has released two emergency security updates to resolve security flaws in Windows 10 and Windows Server, some two weeks before the next Patch Tuesday cycle.

While Microsoft says that the flaws aren’t publicly disclosed and “exploitation is less likely,” the company just wanted to patch both vulnerabilities as soon as possible and not wait for the July 14 Update Tuesday.

The two remote code execution bugs, which are detailed by Microsoft in CVE-2020-1425 and CVE-2020-1457, can allow an attacker to execute arbitrary code and take control of the compromised computer.

Microsoft says the flaws exist in the way the Windows Codecs Library handles objects in memory and a successful exploit would use a crafted image file that needs to be launched on the target machine.

“A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system,” Microsoft says.

The bugs affect the following operating systems:  

  • Windows 10 version 1709
  • Windows 10 version 1803
  • Windows 10 version 1809
  • Windows 10 version 1903
  • Windows 10 version 1909
  • Windows 10 version 2004
  • Windows Server 2019
  • Windows Server version 1803
  • Windows Server version 1903
  • Windows Server version 1909
  • Windows Server version 2004

“Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory,” Microsoft notes in the two CVE documents linked to above.

The bugs were reported to Microsoft by Trend Micro Zero Day Initiative security researcher Abdul-Aziz Hariri, and the software giant says users can download the updates from the Microsoft Store on the affected platforms, as the patches are part of the updated Windows Media Codec on these systems. The updates, however, are shipped automatically through the Microsoft Store.