Additional emergency updates for Windows and Visual Studio go live

As a follow-up to this month’s Patch Tuesday that addressed 87 security vulnerabilities in total, Microsoft has released additional emergency patches for Windows Codecs library and Visual Studio Code.

Both of these vulnerabilities are ‘remote code execution’ flaws.

If successful, an attacker who is taking advantage of them can execute code on affected systems.

First off, we have CVE-2020-17022, a Windows Codecs library security issue.

According to Microsoft, an attacker can prepare a specifically crafted malicious image to be sent to the target device.

Given that the device is still unpatched, as soon as an app running on top of Windows processes them, an attacker can remotely execute code on that device.

The bug affects all versions of Windows 10.

Users of this library should receive an automatic update via the Microsoft Store.

However, this only applies if you have installed HEVC or ‘HEVC from Device Manufacturer’.

It is worth noting that HEVC is only available through the Microsoft Store.

The library is not supported on Microsoft Server.

To double-check that you are using a secure version of the HEVC codec, look for versions 1.0.32762.0, 1.0.32763.0, and later in Settings, Apps & Features, select HEVC.

The second bug is referred to as CVE-2020-17023.

Microsoft explains that an attacker can prepare malicious package.json files that execute malicious code when opened in Visual Studio Code.

Depending on what level of permissions the user is operating under, a successful exploit could grant the attacker administrative privileges over the infected system.

Otherwise, package.json files are a regular component of JavaScript projects and libraries.

In fact, JavaScript and Node.js happen to be some of the most popular technologies used today.

Visual Studio Code users should not hesitate to update the app to the latest version.