Microsoft has launched two unscheduled safety updates to deal with the distant code execution (RCE) bugs that have been impacting Windows Codecs Library and Visual Studio Code customers. The first vulnerability tracked as CVE-2020-17022 was discovered to be concentrating on consumer operating Windows 10 model 1709 or later whereas the second, CVE-2020-17023 was affecting the Visual Studio Code app. The firm has rated the severity of the 2 vulnerabilities as “necessary” that are actually getting a repair with the safety replace.
Starting with the CVE-2020-17022 vulnerability, Microsoft explains that the bug exists in the best way that “Microsoft Windows Codecs Library handles objects in reminiscence.” According to ZDNet, attackers might reap the benefits of the vulnerability when customers run “malicious photos” on their system – planted by the hacker. However, it’s stated that customers who put in non-compulsory HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store are solely affected. Users can the verify whether or not the system has HEVC codec by heading to Settings > Apps > Features > HEVC, Advanced Options. Additionally, the corporate says the repair is being rolled out mechanically by way of Microsoft Store and “prospects don’t have to take any motion to obtain the replace.
The second CVE-2020-17023 vulnerability impacting Visual Studio Code is executed by tricking customers to opening a malicious ‘package deal.json’ file. Once the bug is loaded within the Visual Studio Code by way of package deal.json file, the attacker can then execute malicious codes. The severity of this vulnerability additionally will depend on the permission given to the customers who’s utilizing the Visual Studio Code. “If the present consumer is logged on with administrative consumer rights, an attacker might take management of the affected system,” Microsoft defined. The firm additional provides that the replace fixes CVE-2020-17023 by modifying the best way Visual Studio Code handles JSON recordsdata. Visual Studio Code customers can get the safety replace by updating the app.
Meanwhile, the corporate additionally launched its month-to-month safety replace (October safety patch) that patched 87 vulnerabilities throughout a variety of Microsoft merchandise.