Microsoft released emergency patches for Windows Codecs and Visual Studio

by Emma Davis
October 19, 2020
Microsoft released emergency patches
Written by Emma Davis

October’s “Update Tuesday”, which fixed 87 bugs, has already passed, and now Microsoft developers have released emergency patches for vulnerabilities in the Windows Codecs Library and Visual Studio Code.

Both bugs allow remote execution of arbitrary code on vulnerable systems.

The first issue received the identifier (CVE-2020-17022) and is related to the way Windows Codecs Library works with objects in memory. The vulnerability affects all versions of Windows 10 and can be exploited by sending a malicious image.

Using this vulnerability, attackers can create malicious images. If an application running on top of Windows processes such an image, an attacker could execute arbitrary code.say Microsoft engineers.

Note that the problem does not apply to all Windows 10 users, but only to systems with vulnerable media codecs HEVC or HEVC from Device Manufacturer downloaded from the Microsoft Store. The issue does not affect HEVC versions 1.0.32762.0, 1.0.32763.0 and later.

Remote Code Execution vulnerabilities provide an attacker with initial access to a system without any user action. Unlike a malicious attachment in a phishing email, or trojan horse that you downloaded when trying to install a Minecraft mod, Hass continues, all the attacker needs to do is find an unpatched system, send the exploit and wait for the vulnerable system to give them access.says to Forbes Chris Hass, director of information security and research at Automox.

The experts say the Windows Codecs Library will update automatically through the Microsoft Store, and users won’t have to take any action.

In turn, the vulnerability in Visual Studio Code was identified as CVE-2020-17023. This issue allows creation of malicious package.json files that, when loaded by Visual Studio Code, would allow execution of a malicious code.

The attacker’s code can be executed with administrator privileges (depending on the rights of the current user), which means that the attacker will have full control over the infected host.tell Microsoft developers.

Visual Studio Code users are encouraged to update their application to the latest version as soon as possible.

To emphasize seriousness of the situation, let me remind that The United States Cybersecurity and Infrastructure Agency (CISA) urged people to make sure their systems are updated.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending