Security News > 2020 > July > Hold off that rush into the July 4 weekend – you may need this: Microsoft patches pwn-by-picture pitfalls in Win 10
Microsoft has emitted a pair of security patches to address flaws in Windows 10 that can be potentially exploited by miscreants to hijack PCs. A victim simply needs to be tricked into opening a file containing a specially crafted image on a vulnerable system.
In the case of CVE-2020-1457, a successful exploit would lead directly to arbitrary code execution on the victim's computer for the attacker, while Microsoft said CVE-2020-1425 would let the aggressor "Obtain information to further compromise the user's system" though it is also described as a remote-code-execution flaw.
If there's some good news to be had from this, it is that Windows 10 in its default setup is not vulnerable.
The HEVC codec in question is an optional add-on downloaded from the Windows Store.
In this case, Redmond said it went off-road because HEVC is a Windows Store download, and not subject to the same patch release timings for built-in Windows 10 components.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/07/02/microsoft_codec_rce_fix/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-07-27 | CVE-2020-1425 | Unspecified vulnerability in Microsoft Windows 10 A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory, aka 'Microsoft Windows Codecs Library Remote Code Execution Vulnerability'. | 7.8 |
| 2020-07-27 | CVE-2020-1457 | Out-of-bounds Write vulnerability in Microsoft Windows 10 A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory, aka 'Microsoft Windows Codecs Library Remote Code Execution Vulnerability'. | 7.8 |