Microsoft has released patches to fix two remote code execution vulnerabilities in Microsoft Windows Codecs Library. HEVC or Windows codecs library is responsible for handling large media files and decoding them for playback. HEVC is used by developers as it supports a multitude of different file formats. This Windows Extension is designed to take advantage of the hardware capabilities of newer processors and GPU to decode and play Ultra HD content.
Following are the details of the vulnerabilities :
Both of these vulnerabilities exist as to how Microsoft Windows Codecs Library handles objects in memory. Microsoft has not released information on attack vectors which can abuse these flaws, In order to exploit them, it requires that a program processes a specially crafted file.
CVE-2020-1425: A Remote Code Execution vulnerability which is rated as critical exists in Microsoft HEVC. Once this vulnerability is successfully exploited, an attacker can use the disclosed information to further compromise the system.
RCE bugs are generally unexploitable because of Address Space Layout Randomisation (ASLR). ASLR is a security feature that makes memory mapping in every system different, thus leaving the attacker to only guess where to put malicious code. But in this case, this vulnerability can be exploited to disclose sensitive information which includes system data and memory layout.
CVE-2020-1457: Also a Remote Code Execution vulnerability which is rated as important exists in the same Windows Extension HEVC. Both of these vulnerabilities require a malicious file in order to execute remote code. The information gained by the previous method can be used to exploit this vulnerability.
- HEVC Microsoft windows codec library
Affected Windows versions:
- Windows 10/Server version 1709 and newer
- Windows Server 2019
Microsoft has released fixes for HEVC and customers can update it via Microsoft Store.
SanerNow security content has been published to detect this vulnerability. We strongly recommend installing Microsoft security updates without any delay.