Microsoft has launched two undefined security updates to deal with distant code execution (RCE) bugs that have been affecting Windows Codecs Library and Visual Studio code customers. The first vulnerability tracked as CVE-2020-17022 was discovered to focus on a person operating Windows 10 model 1709 or later, whereas the second, CVE-2020-17023, was affecting the Visual Studio Code app. The firm has assessed the severity of two vulnerabilities as “essential” which are actually recovering with security updates.
Starting with the CVE-2020-17022 vulnerability, Microsoft explains that the bug exists in such a approach that “the Microsoft Windows Codec library handles objects in reminiscence.” According to ZDNet, attackers can reap the benefits of that vulnerability when customers run “malicious photos” on their methods – imposed by hackers. However, it’s stated that customers who set up the elective HEVC or “HEVC from machine producer” Media Kodak from the Microsoft Store are just affected. Users can test whether or not the system has a HEVC codec by going to Settings> Apps> Features> HEVC, Advanced Options. Additionally, the corporate states that the repair is being robotically rolled out by the Microsoft Store and that “clients don’t must take any motion to obtain updates.”
A second CVE-2020-17023 vulnerability affecting Visual Studio code is run by customers to open a malicious ‘bundle.json’ file. Once the bug is loaded into the Visual Studio Code by way of the bundle.json file, the attacker can then execute the malicious code. The severity of this vulnerability additionally will depend on the permission given to customers who’re utilizing Visual Studio code. “If the present person is logged on with administrative person rights, an attacker can take management of the affected system,” Microsoft defined. The firm additional states that Visual Studio code fixes the upgrade CVE-2020-17023 by modifying how JSON information are dealt with. Visual Studio Code customers can get security updates by updating the app.
Meanwhile, the corporate additionally launched its monthly security upgrade (October security patch) that patched 87 vulnerabilities throughout a wide range of Microsoft products.