Microsoft has released two unscheduled security updates to address the remote code execution (RCE) bugs that were impacting Windows Codecs Library and Visual Studio Code users. The first vulnerability tracked as CVE-2020-17022 was found to be targeting user running Windows 10 version 1709 or later while the second one, CVE-2020-17023 was affecting the Visual Studio Code app.
The company has rated the severity of the two vulnerabilities as “important” that are now getting a fix with the security update.
Starting with the CVE-2020-17022 vulnerability, Microsoft explains that the bug exists in the way that “Microsoft Windows Codecs Library handles objects in memory.” Attackers could take advantage of the vulnerability when users run “malicious images” on their system – planted by the hacker. However, it is said that users who installed optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store are only affected. Users can the check whether the system has HEVC codec by heading to Settings > Apps > Features > HEVC, Advanced Options.
The second CVE-2020-17023 vulnerability impacting Visual Studio Code is executed by tricking users to opening a malicious ‘package.json’ file. Once the bug is loaded in the Visual Studio Code via package.json file, the attacker can then execute malicious codes. The severity of this vulnerability also depends on the permission given to the users who is using the Visual Studio Code. “If the current user is logged on with administrative user rights, an attacker could take control of the affected system,”.
Meanwhile, the company also released its monthly security update (October security patch) that patched 87 vulnerabilities across a wide range of Microsoft products.