In a pair of out-of-band updates, Microsoft patched RCE vulnerabilities, one rated critical, the other important.
Microsoft said the two vulnerabilities, CVE-2020-1425 (critical) and CVE-2020-1457 (important), fixed prior to the company’s monthly Patch Tuesday updates, are not likely to be exploited.
“To successfully exploit this vulnerability, an attacker would need to deliver a specially crafted image file, like a JPG or TIFF or PNG, and convince the targeted victim to open the file,” said Richard Melick, senior technical product manager at Automox. “Data hidden within the image would then be processed by the image rendering program, executing arbitrary code on the endpoint.”
Melick said the code could then “be used to install a backdoor, allowing an attacker to modify user credentials, execute more code, or navigate laterally through the corporate network.”
The patches are both available for Windows 10, Windows Server 2019 and Windows Server core installations.