Microsoft releases urgent Windows update to fix two critical flaws

Microsoft yesterday quietly released out-of-band software updates to address two high-risk security vulnerabilities that affect hundreds of millions of users of Windows 10 and Server editions.

It is important to note that Microsoft rushed to deliver the patches almost two weeks before Tuesday's next monthly updates, scheduled for July 14.

Probably because both failures reside in the Codec Library of Windows , an easy attack vector for victims of social engineers to execute malicious media files downloaded from the Internet.

Read more:
New Virus changing DNS and Stopping Services
Windows 7 will no longer be supported by Microsoft. What to do?
Microsoft wants to make it harder to create and use local accounts on Windows
Ministry of Health clears attack on testing labs for Corona Virus
IBM supercomputer discovers drugs that could slow down covid-19

For those who don't know, Codecs is a collection of support libraries that help the Windows operating system to reproduce, compress and decompress various audio and video file extensions.

The two newly disclosed security vulnerabilities, assigned CVE-2020-1425 and CVE-2020-1457 , are remote code execution bugs that could allow an attacker to execute arbitrary code and control the compromised Windows computer.

According to Microsoft, both remote code execution vulnerabilities reside in the way that the Microsoft Windows codec library handles objects in memory.

However, exploiting both flaws requires an attacker to trick a user running an affected Windows system into clicking on a specially crafted image file to open with any application that uses the Windows Codec Library.

Of the two, CVE-2020-1425 is more critical, because successful exploitation could allow an attacker to collect data to further compromise the affected user's system.

The second vulnerability, tracked as CVE-2020-1457, was classified as important and could allow an attacker to execute arbitrary code on an affected Windows system.

However, none of the security vulnerabilities were reported to be publicly known or actively exploited in nature by hackers at the time when Microsoft released emergency patches.

According to the warnings, both vulnerabilities were reported to Microsoft by Abdul-Aziz Hariri of Trend Micro's Zero Day Initiative and affect the following operating systems:

  • Windows 10 version 1709
  • Windows 10 version 1803
  • Windows 10 version 1809
  • Windows 10 version 1903
  • Windows 10 version 1909
  • Windows 10 version 2004
  • Windows Server 2019
  • Windows Server version 1803
  • Windows Server version 1903
  • Windows Server version 1909
  • Windows Server version 2004

Since Microsoft is not aware of any workarounds or mitigating factors for these vulnerabilities, it is highly recommended that Windows users deploy new patches before attackers begin to exploit problems and compromise their systems.

However, the company is releasing out-of-band security updates through the Microsoft Store, so that affected users are updated automatically without requiring any further action.

Alternatively, if you don't want to wait a few more hours or a day, you can install patches immediately, checking for new updates on the Microsoft Store.


Follow the news in real time. Follow our Instagram profile..

Felipe Santos
Felipe Santos is a Cloud and Security Architect, with experience in Windows Server, Cluster, Storages, Backups Veeam and Office 365 environments.



Do you want to upgrade your career? 

Invest in yourself and get ahead! Get that dream job in 2022!