Microsoft Issues Two Emergency Security Updates
On Tuesday, June 30, 2020, Microsoft released two “out-of-band” emergency security updates for Windows 10 users. These emergency security updates patched two vulnerabilities that could allow attackers to run remote code execution against victims. Out-of-band patches are patches that are released outside of the normal cumulative updates and security updates normally issued on the second Tuesday of each month (Patch Tuesday).
The following is from cyberscoop…
One of the flaws, catalogued as CVE-2020-1425, would allow attackers to gather information from victims about further compromising their targets. If attackers were to exploit another flaw, catalogued as CVE-2020-1457, they would be capable of executing arbitrary code, Microsoft said. To exploit the vulnerabilities, which affect Windows 10 and Windows Server distributions, they would have to use a “specially crafted image file,” Microsoft said.
The flaws were rated as “critical” and “important,” respectively.
Microsoft has addressed the vulnerabilities by correcting how objects in memory are handled by Microsoft Windows Codecs Library. Customers don’t have to take any action to receive the updates, Microsoft said.
Microsoft typically issues patches for vulnerabilities on the second Tuesday of each month. And although Microsoft said it hasn’t seen any threat actors exploiting the vulnerabilities in the wild, the fact that the company issued an out-of-band update indicates it found them critical enough to raise alarm outside of its normally scheduled updates.