Microsoft on Tuesday issued emergency security updates for two vulnerabilities that could allow attackers to run remote code execution against victims.
One of the flaws, catalogued as CVE-2020-1425, would allow attackers to gather information from victims about further compromising their targets. If attackers were to exploit another flaw, catalogued as CVE-2020-1457, they would be capable of executing arbitrary code, Microsoft said. To exploit the vulnerabilities, which affect Windows 10 and Windows Server distributions, they would have to use a “specially crafted image file,” Microsoft said.
The flaws were rated as “critical” and “important,” respectively.
Microsoft has addressed the vulnerabilities by correcting how objects in memory are handled by Microsoft Windows Codecs Library. Customers don’t have to take any action to receive the updates, Microsoft said.
Microsoft typically issues patches for vulnerabilities on the second Tuesday of each month. And although Microsoft said it hasn’t seen any threat actors exploiting the vulnerabilities in the wild, the fact that the company issued an out-of-band update indicates it found them critical enough to raise alarm outside of its normally scheduled updates.
Microsoft said the flaws were of medium severity, according to the Common Vulnerability Scoring System.
Microsoft indicated Abdul-Aziz Hariri, a vulnerability analysis manager for Trend Micro’s Zero Day Initiative, is responsible for finding the vulnerabilities and sharing information with Microsoft.
Hariri told CyberScoop he initially found the flaws in March while writing a program, called a harness, to test a specific image format.
“It all started with a small project which was initially focused on writing a harness to trigger certain parsing code in Windows,” Hariri said. “When I finished writing the harness, I noticed through reversing that I can trigger the parsing code of the HEIC [High Efficiency Image Format] image format from the harness. That said, I started fuzzing the HEIC file format through the harness I wrote.”
In all, Hariri found 15 flaws, some of which Microsoft is still examining, he said. Microsoft did not immediately return request for comment on these flaws.
The news comes just weeks after Microsoft’s largest-ever Patch Tuesday update in June, which included 11 critical updates. In May, the company’s security updates focused on memory corruption and SharePoint vulnerabilities.