Here's How To Install Microsoft's Out-Of-Band Emergency Windows 10 Security Updates
Microsoft has made available a pair of out-of-band security patches for Windows 10, one of which is labeled as "critical" and the other as "important." Under normal circumstances, security patches get doled out on the second Tuesday of every month, otherwise known as Patch Tuesday. But in this case, Microsoft decided to make these particular ones available now, with Patch Tuesday still being two weeks away.
Both flaws—CVE-2020-1425 and CVE-2020-1457—exist within the Windows Codecs Library and the way it handles objects in memory.
According to Microsoft, if left unpatched, an attacker who leverages CVE-2020-1425 "could obtain information to further compromise the user's system." This is the one that is labeled as a critical security flaw, and if affects Windows 10 versions 1709 through version 2004, which is the latest release (May 2020 Update).
It also affects various Windows Server and Windows Server 2019 builds. There is no workaround, only a patch to plug the security hole.
Likewise, CVE-2020-1457 is another remote code execution vulnerability (meaning an attacker can leverage it remotely, as opposed to needing physical access to a system), and if successfully exploited, they could execute arbitrary code. It affects the same varied crop of Windows 10 and Windows Server/Windows Server 2019 builds.
How To Install Patches For CVE-2020-1425 And CVE-2020-1457
Usually when there are out-of-band patches, they are either delivered through Windows Update or require a manual download, provided your PC meets the criteria for needing them. That is not the case with these patches, though.
Instead, they are being delivered through the Microsoft Store.
"Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update," Microsoft says.
To err on the side of caution, we recommend opening the Microsoft Store app to move things along. You can also navigate to the Downloads and updates section (click the three horizontal dots in the upper-right corner) and click the Get updates button, though you will only see app updates, not security patches that are downloaded and applied in the background.
