Hold off that rush into the July 4 weekend – you may need this: Microsoft patches pwn-by-picture pitfalls in Win 10

Redmond also praised for blocking malware control systems on its clouds

6 Reg comments Got Tips?

Microsoft has emitted a pair of security patches to address flaws in Windows 10 that can be potentially exploited by miscreants to hijack PCs. A victim simply needs to be tricked into opening a file containing a specially crafted image on a vulnerable system.

The Redmond giant said this week the exploitable bugs, CVE-2020-1457 and CVE-2020-1425, are in the Windows HEVC Codec Library that some applications use to process images.

In the case of CVE-2020-1457, a successful exploit would lead directly to arbitrary code execution on the victim's computer for the attacker, while Microsoft said CVE-2020-1425 would let the aggressor "obtain information to further compromise the user's system" though it is also described as a remote-code-execution flaw.

If there's some good news to be had from this, it is that Windows 10 in its default setup is not vulnerable. The HEVC codec in question is an optional add-on downloaded from the Windows Store.

Windows Server and older versions of Windows are not vulnerable.

It is relatively rare for Microsoft to post security updates outside of its normal Patch Tuesday cadence. In this case, Redmond said it went off-road because HEVC is a Windows Store download, and, therefore, not subject to the same patch release timings for built-in Windows 10 components.

Credit for the discovery went to Abdul-Aziz Hariri working through Trend Micro's Zero Day Initiative. The flaw was privately reported, and thus far there have been no reports of in-the-wild exploits.

Downloading a patch

Cisco SMB kit harbors cross-site scripting bug: One wrong link click... and that's your router pwned remotely

READ MORE

Microsoft's next scheduled security update is July 14.

On the bright side for Microsoft, folks at F-Secure are applauding the US tech titan's security gurus for preventing botnet and malware operators from abusing Azure and Office 354 services.

F-Secure's Tim Carrington said his team can no longer use instances on either cloud service to function as command-and-control servers in its C3 framework.

The C3 service functions as a sort of proof-of-concept botnet service that F-Secure offers to help companies test their networks and services against real-world attacks. The idea is that, if testers can get in using C3, it's a safe bet that criminals can as well.

In this case, Carrington explained, Microsoft has beefed up its detection and removal tools, and as a result any attempts to spin up a malware command-and-control server with Office365 or Azure are wiped out within three hours.

"Microsoft has risen to the challenge of using offence to inform defense. This has not only disrupted F-Secure Consulting's red team operators, but delivered a killer blow to real-world threat actors," Carrington said.

"Any effort by an organization that forces attackers to redevelop their toolkit, and results in the redistribution of resources, is a welcome sight." ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020