Η Microsoft released emergency updates security for the confrontation two vulnerabilities that allow remote code execution (RCE) and affect the Microsoft Windows Codecs Library and Visual Studio Code.
The CVE-2020-17022 vulnerability was reported to Microsoft by Dhanesh Kizhakkinan of FireEye Inc., while CVE-2020-17023 was reported by Justin Steven.
Only Windows 10 is vulnerable
Vulnerable code execution vulnerability, CVE-2020-17022, located in the Microsoft Windows Codecs Library, affects every Appliances running Windows 10 (version 1709 or later) and a vulnerable library version.
Η vulnerability has to do with how the Microsoft Windows Codecs Library handles data in memory. To exploit the vulnerability, a program is required to edit a specially edited image file.
Microsoft, however, states that Windows 10 devices are not vulnerable to their default configuration. "Only customers who have HEVC or 'HEVC from Device Manufacturer' media codecs installed from the Microsoft Store may be vulnerable".
For this reason, users need to be sure that they are using the latest versions. The secure versions, according to Microsoft, are 1.0.32762.0, 1.0.32763.0 and later.
In terms of vulnerability CVE-2020-17023, located in Visual Studio Code, is activated when users open a malicious file "package.json". Vulnerability allows attackers to execute remote code.
If the user has administrator privileges, the successful exploitation of the vulnerability may also allow creating fake administrator accounts in violated Appliances Windows.
According to Microsoft, CVE-2020-17023 is essentially trying to bypass the CVE-2020-16881 vulnerability update, another RCE error in Visual Studio Code. This edition was released on September 8th.
Updates will be installed automatically
According to Bleepingcomputer, users do not need to take any action to insure themselves computers from vulnerability CVE-2020-17022, as the security update will be delivered automatically, via the Microsoft Store, on all affected devices (unless auto-updating is turned off for applications of the Microsoft Store).
Alternatively, users can check for updates with the Microsoft Store App.