CVE-2020-1425 - Windows Codecs Library RCE

A remote code execution in Windows Codecs Library has been fixed by Microsoft with out-of-band patch on 30th June 2020.

The vulnerability allows attacker to remotely execute arbitrary code, if the victim opens maliciously crafted media file.

Recent assessments:

busterb at July 07, 2020 6:42pm UTC reported:

This is paired with sister vulnerability CVE-2020-1457, is a memory corruption issue with Microsofts HEVC (High Efficiency Video Codec) that is a component one can optionally install from the Windows Store on Windows 10 and later. This is not a default component; it even requires the user to actually pay $0.99 in order to install it. So, in order for this to be exploitable::

• a user would have to have also configured the Windows Store to allow payments in the first place.

• a user would have had to have manually installed this codec and paid the fee

• the user would also have to have open a malicious file they downloaded

• while simultaneously not being connected to the internet such that the Windows Store could update (which it does automatically, and when a file is opened)

It is possible to enumerate that this codec is installed through a WMI query (see here for how to enumerate), but it is highly unlikely that it could be exploited in any viable way. It is not even possible to easily perform research on the memory corruption vulnerability itself at this time, since it does not appear possible to obtain the vulnerable version of the codec from the store anymore.

As an experiment, I downloaded several sample HEVC files, and was not even able to get the Windows video player to play them or open the store to install the codec in the first place, since Windows does not support many of the common video encapsulation formats used with HEVC.

HT to this helpful Slashdot thread for additional information: https://tech.slashdot.org/comments.pl?sid=16708416&cid=60262150

Assessed Attacker Value: 1
Assessed Attacker Value: 1Assessed Attacker Value: 1