October’s “Update Tuesday”, which fixed 87 bugs, has already passed, and now Microsoft developers have released emergency patches for vulnerabilities in the Windows Codecs Library and Visual Studio Code.
Both bugs allow remote execution of arbitrary code on vulnerable systems.The first issue received the identifier (CVE-2020-17022) and is related to the way Windows Codecs Library works with objects in memory. The vulnerability affects all versions of Windows 10 and can be exploited by sending a malicious image.
Note that the problem does not apply to all Windows 10 users, but only to systems with vulnerable media codecs HEVC or HEVC from Device Manufacturer downloaded from the Microsoft Store. The issue does not affect HEVC versions 1.0.32762.0, 1.0.32763.0 and later.
The experts say the Windows Codecs Library will update automatically through the Microsoft Store, and users won’t have to take any action.
In turn, the vulnerability in Visual Studio Code was identified as CVE-2020-17023. This issue allows creation of malicious package.json files that, when loaded by Visual Studio Code, would allow execution of a malicious code.
Visual Studio Code users are encouraged to update their application to the latest version as soon as possible.
To emphasize seriousness of the situation, let me remind that The United States Cybersecurity and Infrastructure Agency (CISA) urged people to make sure their systems are updated.