HomesecurityMicrosoft: Releases emergency updates to fix RCE vulnerabilities

Microsoft: Releases emergency updates to fix RCE vulnerabilities

Η Microsoft products released emergency updates security for the confrontation two vulnerabilities that allow remote code execution (RCE) and affect the Microsoft products Windows Codecs Library and Visual Studio Code.

Microsoft products

The two vulnerabilities have been named CVE-2020-17022 and CVE-2020-17023 and are considered very serious. However, they are said to have not yet been used by cyber criminals.

The CVE-2020-17022 vulnerability was reported to Microsoft by Dhanesh Kizhakkinan of FireEye Inc., while CVE-2020-17023 was reported by Justin Steven.

Only Windows 10 is vulnerable

Vulnerable code execution vulnerability, CVE-2020-17022, located in the Microsoft Windows Codecs Library, affects every Appliances running Windows 10 (version 1709 or later) and a vulnerable library version.

Η vulnerability has to do with how the Microsoft Windows Codecs Library handles data in memory. To exploit the vulnerability, a program is required to edit a specially edited image file.

Microsoft, however, states that Windows 10 devices are not vulnerable to their default configuration. "Only customers who have HEVC or 'HEVC from Device Manufacturer' media codecs installed from the Microsoft Store may be vulnerable".

For this reason, users need to be sure that they are using the latest versions. The secure versions, according to Microsoft, are 1.0.32762.0, 1.0.32763.0 and later.

Microsoft fixed two similar RCE errors in June, confusing them users, as well as updates were promoted through Microsoft Store instead of Windows Update.


In terms of vulnerability CVE-2020-17023, located in Visual Studio Code, is activated when users open a malicious file "package.json". Vulnerability allows attackers to execute remote code.

If the user has administrator privileges, the successful exploitation of the vulnerability may also allow creating fake administrator accounts in violated Appliances Windows.

According to Microsoft, CVE-2020-17023 is essentially trying to bypass the CVE-2020-16881 vulnerability update, another RCE error in Visual Studio Code. This edition was released on September 8th.

Updates will be installed automatically

According to Bleepingcomputer, users do not need to take any action to insure themselves computers from vulnerability CVE-2020-17022, as the security update will be delivered automatically, via the Microsoft Store, on all affected devices (unless auto-updating is turned off for applications of the Microsoft Store).

Alternatively, users can check for updates with the Microsoft Store App.

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!