Microsoft has just released emergency patches for two critical security holes in the Windows Codecs Library.
We all know what Windows means.
But what is a Codecs Library, and why are bugs in it such as a big deal that they need to be updated without waiting for the next Patch Tuesday to come round?
Well, codec is short for encoder-decoder, and it’s the jargon term for the sort of software that takes data of some sort – notably the raw data that represents the pixels in a video or the sound in an audio file – and reworks it so it can be sent and received easily.
The co- part of a codec takes something like a raw image, consisting of rows and rows of colour pixels, and wraps it up in a format such as as JPG or PNG so it can saved into a file for downloading or streaming.
The -dec part does the reverse at the other end, reading in the file, decompressing it (most images and videos are compressed for transmission because this saves an enormous amount of bandwidth) and getting it back into its raw form so it can be displayed.
The security challenge
The security challenge here is that the -dec part of any codec – for example, the software that converts JPG files that are downloaded as part of a web page so your browser can display them – can’t blindly assume that the co- part of the process was trustworthy.
The decoder generally doesn’t have any control over the original encoding process, because files received from outside will have been encoded by someone else, somewhere else, using encoding software entirely of their own choice.
So the decoder has to assume that any part of the encoded data could have been constructed maliciously by an attacker in order to trigger a bug in the decoder – which is often a complex piece of software.
For example, many image formats start by telling the decoder how wide and high the image is, and how many bytes are used to store each pixel, in order to help the decoder allocate the right amount of memory for the image once it’s unpacked.
But what if the data stored in the image doesn’t match the data that follows, and the decoder ends up reading in more pixel data than it allocated space for?
If that happens, and the decoder doesn’t detect the mismatch, you’ve got a buffer overflow, along with all the security problems that usually entails.
In fact, the problem is much worse than this simple example, because there are hundreds of different encoding algorithms for image and audio data, plus hundreds of different standards for packing together the encoded data into files for transmission…
…and users expect all their software,from word processors to video editors, to support as many of these combinations as possible.
Try your favourite image editor and see how many different file types it can load or save to get a feeling for how many combinations there are. We use an open-source tool called FFMPEG to create our videos, and the version we currently have includes more than 450 different decoders, and nearly 200 different encoders.
That’s where the Windows Codecs Library comes in, providing built-in support for a myriad different photo and video file formats to make it easy for software developers to support all the file formats that their users expect.
The bad news
Of course, the bad news in doing things that way is that a critical bug in the Codecs Library could end up affecting a whole raft of software programs at the same time, including browsers, document viewers, video editors, image gallery tools and more…
…but the good news is that if a critical bug does show up, it can be fixed for everyone in one go.
And that’s what’s happened here: the bugs CVE-2020-1425 and CVE-2020-1457 are described by Microsoft as follows:
CVE-2020-1425: A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.
CVE-2020-1427: A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.
We’re assuming that these vulnerabilities could be combined in order to implant malware.
Remote code execution bugs often aren’t much use on their own any more, because the crooks can’t figure out where in memory to place their attack code thanks to a security process known as Address Space Layout Randomisation (ASLR).
ALSR makes the memory layout on every computer different, so most unaided attacks have to guess where to poke around in memory, usually picking the wrong place and simply crashing instead of taking over.
But in this case, we’re guessing that attacker could start off by using the first vulnerability to “leak” secret operating system data, including the current memory layout, thus rendering ASLR useless and making the second vulnerability much easier to exploit.
What to do?
Technically, these bugs aren’t zero-days, because they were disclosed responsibly to Microsoft, which fixed them – as far as we know – before any cybercriminals figured them out.
But now the bugs are known publicly, you can assume that the crooks will be busy trying to work backwards from the patches to figure out how the vlunerabilities work. (Things are a lot easier to find if you know where to start looking!)
The updates are needed for Windows 10 and Windows Server 2019, and unlike your Patch Tuesday fixes, which arrive via the Security and Updates tab in Settings, Microsoft has pushed them out via the Windows Store:
How do I get the updated Windows Media Codec?
Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update. Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here.