Microsoft has released two unscheduled security updates to address the remote code execution (RCE) bugs that were impacting Windows Codecs Library and Visual Studio Code users. The first vulnerability tracked as CVE-2020-17022 was found to be targeting user running Windows 10 version 1709 or later while the second one, CVE-2020-17023 was affecting the Visual Studio Code app. The company has rated the severity of the two vulnerabilities as “important” that are now getting a fix with the security update.
Starting with the CVE-2020-17022 vulnerability, Microsoft explains that the bug exists in the way that “Microsoft Windows Codecs Library handles objects in memory.” According to ZDNet, attackers could take advantage of the vulnerability when users run “malicious images” on their system – planted by the hacker. However, it is said that users who installed optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store are only affected. Users can the check whether the system has HEVC codec by heading to Settings > Apps > Features > HEVC, Advanced Options. Additionally, the company says the fix is being rolled out automatically via Microsoft Store and “customers do not need to take any action to receive the update.
The second CVE-2020-17023 vulnerability impacting Visual Studio Code is executed by tricking users to opening a malicious ‘package.json’ file. Once the bug is loaded in the Visual Studio Code via package.json file, the attacker can then execute malicious codes. The severity of this vulnerability also depends on the permission given to the users who is using the Visual Studio Code. “If the current user is logged on with administrative user rights, an attacker could take control of the affected system,” Microsoft explained. The company further adds that the update fixes CVE-2020-17023 by modifying the way Visual Studio Code handles JSON files. Visual Studio Code users can get the security update by updating the app.
Meanwhile, the company also released its monthly security update (October security patch) that patched 87 vulnerabilities across a wide range of Microsoft products.