New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

Microsoft Releases Out of Band RCE Patch

On June 30th, Microsoft released two emergency out-of-band updates for the Microsoft Windows Codecs Library for Windows 10 and Server. These two updates patch CVE-2020-1425 and CVE-2020-1457, which allow attackers to remotely execute code using a specially crafted image file sent to any application that uses the Microsoft library for processing multimedia files. This means that the vulnerability was present in many applications and could have been used by attackers to gain initial access in a stealthy way, depending on how each application implemented media messages. Fortunately, the bugs were privately reported to Microsoft by Trend Micro’s zero-day initiative and no attacks exploiting these vulnerabilities has been reported in the wild.

Analyst Notes

Binary Defense recommends that users always keep systems updated with the latest security patches, after appropriate testing and validation. In this case, every Windows 10 computer that is connected to the Internet should have already received the patch on Tuesday (June 30th) via the Windows Store application. Because vulnerabilities in multimedia processing are frequently targeted on both mobile devices and workstations, Binary Defense also recommends that users take care when opening images from unknown sources including email, instant messaging and MMS apps.

https://www.zdnet.com/article/microsoft-releases-emergency-security-update-to-fix-two-bugs-in-windows-codecs/