Microsoft rolls out patches to Windows 10 on a more or less regular schedule these days, but it wastes no time when there’s a flaw that could put users at risk. The company is dealing with just such a scenario right now.
Microsoft rolls out patches to Windows 10 on a more or less regular schedule these days, but it wastes no time when there’s a flaw that could put users at risk. The company is dealing with just such a scenario right now. A pair of bugs in Windows 10 and Windows Server 2019 could allow attackers to create corrupted image files that let them execute remote code on machines. Microsoft’s mechanism for patching this flaw is a bit unusual, though.
The bugs, known CVE-2020-1425 and CVE-2020-1457, are inside the Windows Codecs Library. This component contains the necessary software to decode and render many different image and video formats in Windows. By causing a buffer overflow with malformed image files, the attacker can “trick” the computer into leaking important data and running code hidden in the image files.
Microsoft says the bugs were disclosed privately, and it has no evidence of in-the-wild attacks. Remote code execution attacks are serious, but they used to be even more so. Address Space Layout Randomisation (ASLR) in modern operating systems helps reduce the danger by making attackers guess at where to insert their code. More often than not, the malicious program will just crash instead of taking over the system. However, the combination of CVE-2020-1425 and CVE-2020-1457 could be a problem.
Since the attack vectors are non-public, Microsoft is being a bit coy about the specifics. Based on Microsoft’s vulnerability descriptions, CVE-2020-1425 and CVE-2020-1457 serve different functions, and they’re probably both needed for a successful hack. CVE-2020-1425 can be used to obtain data about the system’s memory configuration, and CVE-2020-1457 can most likely use that data to evade ASLR and execute the payload successfully. This would be a valuable vector to shadowy internet figures, but whoever discovered it did the right thing by disclosing it to Microsoft.
These vulnerabilities could be particularly dangerous because many different programs like browsers, image galleries, and so on rely on the Windows Codecs Library. The good news is this is one of the easier bugs to fix because the library is the same across all affected systems. However, Microsoft has deployed a patched version of the library in the Windows Store — not via Windows Update. You don’t have to do anything to get the patch, but you can manually pull down updates in the Store if you don’t want to wait.