Unscheduled emergency patches ! To be patched

Microsoft has released two unscheduled security updates to address the remote code execution (RCE) bugs that were impacting Windows Codecs Library and Visual Studio Code users. The first vulnerability tracked as CVE-2020-17022 was found to be targeting user running Windows 10 version 1709 or later while the second one, CVE-2020-17023 was affecting the Visual Studio Code app.

The company has rated the severity of the two vulnerabilities as “important” that are now getting a fix with the security update.

Starting with the CVE-2020-17022 vulnerability, Microsoft explains that the bug exists in the way that “Microsoft Windows Codecs Library handles objects in memory.” Attackers could take advantage of the vulnerability when users run “malicious images” on their system – planted by the hacker. However, it is said that users who installed optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store are only affected. Users can the check whether the system has HEVC codec by heading to Settings > Apps > Features > HEVC, Advanced Options.

The second CVE-2020-17023 vulnerability impacting Visual Studio Code is executed by tricking users to opening a malicious ‘package.json’ file. Once the bug is loaded in the Visual Studio Code via package.json file, the attacker can then execute malicious codes. The severity of this vulnerability also depends on the permission given to the users who is using the Visual Studio Code. “If the current user is logged on with administrative user rights, an attacker could take control of the affected system,”.

Meanwhile, the company also released its monthly security update (October security patch) that patched 87 vulnerabilities across a wide range of Microsoft products.

Windows out of band updates

Microsoft yesterday quietly released out-of-band software updates to patch two high-risk security vulnerabilities affecting hundreds of millions of Windows 10 and Server editions’ users.

To be noted, Microsoft rushed to deliver patches almost two weeks before the upcoming monthly ‘Patch Tuesday Updates’ scheduled for 14th July.

That’s likely because both flaws reside in the Windows Codecs Library, an easy attack vector to social engineer victims into running malicious media files downloaded from the Internet.
For those unaware, Codecs is a collection of support libraries that help the Windows operating system to play, compress and decompress various audio and video file extensions.

The two newly disclosed security vulnerabilities, assigned CVE-2020-1425 and CVE-2020-1457, are both remote code execution bugs that could allow an attacker to execute arbitrary code and control the compromised Windows computer.

According to Microsoft, both remote code execution vulnerabilities reside in the way Microsoft Windows codec library handles objects in memory.
Exploiting both flaws requires an attacker to trick a user running an affected Windows system into clicking on a specially crafted image file designed to be opened with any app that uses the built-in Windows Codec Library.

CVE-2020-1425 is more critical because the successful exploitation could allow an attacker even to harvest data to compromise the affected user’s system further.
The second vulnerability, tracked as CVE-2020-1457, has been rated as important and could allow an attacker to execute arbitrary code on an affected Windows system.

However, none of the security vulnerabilities has been reported as being publicly known or actively exploited in the wild by hackers at the time Microsoft released emergency patches.

According to advisories, both vulnerabilities were reported to Microsoft by Abdul-Aziz Hariri of Trend Micro’s Zero Day Initiative and affect the following operating systems:
Windows 10 version 1709
Windows 10 version 1803
Windows 10 version 1809
Windows 10 version 1903
Windows 10 version 1909
Windows 10 version 2004
Windows Server 2019
Windows Server version 1803
Windows Server version 1903
Windows Server version 1909
Windows Server version 2004
Since Microsoft is not aware of any workaround or mitigating factor for these vulnerabilities, Windows users are strongly recommended to deploy new patches before attackers start exploiting the issues and compromise their systems.