Microsoft Releases Emergency Security Updates for Windows 10, Server

The patches fix two separate RCE bugs in Windows Codecs that allow hackers to exploit playback of multimedia files.

Microsoft has quietly pushed out two emergency security updates to fix remote code execution bugs in Microsoft Windows Codecs Library.

Windows Codecs Library handles how the OS compresses large multimedia files such as photos and videos, and then decodes them for playback within applications. The out-of-band updates, addressing a critical-severity flaw (CVE-2020-1425) and important-severity vulnerability (CVE-2020-1457), were sent out via Windows Update Tuesday night and affect several versions of Windows 10 and Windows Server 2019.

Both vulnerabilities allow for remote code execution “in the way that Microsoft Windows Codecs Library handles objects in memory,” according to the updates.

CVE-2020-1425, if exploited, could allow an attacker to execute arbitrary code, while CVE-2020-1457 can be exploited to allow a bad actor to obtain information that would further compromise the user’s system. Both flaws can be exploited if users of affected systems open corrupted media files within applications that use the native Windows Codecs Library.

Microsoft included a complete list of the Windows 10 and Windows Server distributions affected in its advisories, which offered little in terms of specific detail on the flaws. The company did say, however, that there are no mitigations or workarounds for the vulnerabities.

Affected customers need to take no action to receive the update, as they will be automatically updated by Microsoft Store, according to the company. Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App.

Microsoft credited security researcher Abdul-Aziz Hariri for identifying the flaws and reporting them to Trend Micro’s Zero Day Initiative (ZDI), according to a published report in ZDNet.

It’s not completely uncommon for Microsoft to release updates outside of the second Tuesday of every month, also known as “Patch Tuesday.” However, typically the company does so in response to vulnerabilities uncovered by third-party security researchers—including from rivals such as Google — that are found to be under attack. Microsoft said it has not detected either Windows Codecs Library flaw being exploited in the wild.

These patches come weeks after Microsoft’s regularly scheduled June Patch Tuesday, where it released patches for 129 vulnerabilities – the highest number of CVEs ever released by Microsoft in a single month. Within the blockbuster security update, 11 critical remote code-execution flaws were patched in Windows, SharePoint server, Windows Shell, VBScript and other products. Unlike other recent monthly updates from Microsoft, its June updates did not include any zero-day vulnerabilities being actively attacked in the wild.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to registerfor this Threatpost webinar, sponsored by Valimail.

Suggested articles


  • Dennis M Aston on

    Why, pray tell, are they pushing this patch through the windows store? An excellent way to not allow me to force a deadline on it for my machines or track how well things are patched/resolved. Dumpster fire.
  • Craig Rich on

    So since you cannot install the Microsoft Store App on Windows Server 2019 how is one supposed to patch this?
  • James Rackley on

    My company took a week off for the 4th and when I came back yesterday, I have and am still seeing weird stuff going on. One Windows 10 machine will not keep its network connection to the internet. After troubleshooting it says DHCP needs to be enabled, yet I've assigned IPs to everything. I also have a Windows 10 machine that when you type the password in for the user account, it says it's wrong but takes it the second time. First couple of times I chalked it up to me fat fingering the pw, nope. Every time it is rebooted, the password fails on the first attempt. I also have a Windows 7 machine that is now printing shipping labels backwards. All the information and bar codes are there, just prints in reverse. Before it would print the bottom of the label first and end at the top. This was so the operator could just peel the label off and put it on the case. Now, it is printing the top of the label first, ending with the bottom. Do you know how many cases I have with upside down label stickers because nobody looked until someone noticed walking to the breakroom? I think I will just turn off updates and not bother with them until something stops working. I spend more time fixing things after a MS update than I do from a thunder storm.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.