Microsoft has released patches to fix two remote code execution vulnerabilities in Microsoft Windows Codecs Library. HEVC or Windows codecs library is responsible for handling large media files and decoding them for playback. HEVC by developers as it supports a multitude of different file formats. This Windows Extension designed to take advantage of the hardware capabilities of newer processors and GPU to decode and play Ultra HD content.
Two vulnerabilities, one of which is rated as critical CVE-2020-1425 and other as important CVE-2020-1457, affects multiple Windows 10 versions and Windows Server 2019. A vulnerability management tool can detect and mitigate these two vulnerabilities.
Following are the details of the vulnerabilities :
Both of these vulnerabilities exist as to how Microsoft Windows Codecs Library handles objects in memory. Microsoft has not released information on attack vectors which can abuse these flaws, In order to exploit them, it requires that a program processes a specially crafted file.
CVE-2020-1425: A Remote Code Execution vulnerability rated as critical exists in Microsoft HEVC. Once this vulnerability is successful, an attacker can use the disclosed information to further compromise the system.
RCE bugs are generally unexploitable because of Address Space Layout Randomisation (ASLR). ASLR is a security feature that makes memory mapping in every system different, thus leaving the attacker to only guess where to put malicious code. But in this case, this vulnerability exploited to disclose sensitive information which includes system data and memory layout.
CVE-2020-1457: Also a Remote Code Execution vulnerability which is rated as important exists in the same Windows Extension HEVC. Both of these vulnerabilities require a malicious file in order to execute remote code. The information gained by the previous method to exploit this vulnerability.
Affected Application:
- HEVC Microsoft windows codec library
Affected Windows versions:
- Windows 10/Server version 1709 and newer
- Windows Server 2019
Solution
Microsoft has released fixes for HEVC and customers can update it via Microsoft Store.
SanerNow security content published to detect this vulnerability. We strongly recommend installing Microsoft security updates without any delay.