Despite Microsoft publishing this month’s Patch Tuesday fixes on October 13, the company has published two more emergency updates on October 15, this time in an attempt to resolve remote code execution vulnerabilities hitting the Windows Codecs Library and Visual Studio Code.
One of the first to announce the availability of the new updates was the United States Department of Homeland Security’s CISA, which published an advisory on its website to recommend administrators to patch their devices as soon as possible.
“Microsoft has released security updates to address remote code execution vulnerabilities affecting Windows Codecs Library and Visual Studio Code. An attacker could exploit these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Microsoft security advisories for CVE-2020-17022 and CVE-2020-17023 and apply the necessary updates,” CISA said.
Microsoft warns that an attacker would have to convince a potential victim using an unpatched system to open a specially crafted image file. When this happens, the attacker could eventually be able to run arbitrary code, so what the patch does is resolve how the library handles objects in memory.
The vulnerability affects all Windows 10 versions on the market, including version 2004, or May 2020 Update. It’s been given an important severity rating.
“A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory,” Microsoft explains in its advisory.
Microsoft explains that a successful attack requires a malicious actor to convince the target to clone a repository and then open it in Visual Studio Code. While this is obviously a more complex attack, if the pre-requires are met, the attacker would be able to take control of an unpatched system once the malicious package.json file is launched.
The out-of-band patch resolves the vulnerability by simply modifying how Visual Studio Code handles JSON files, Microsoft explains.
“A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious ‘package.json’ file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the company notes.
Just like the other vulnerability, the Visual Studio Code has been given an important severity rating.
The good news is that both security flaws have been privately disclosed, and Microsoft confirmed that it’s not aware of any active exploits happening in the wild. So at the end of the day, it’s a good thing that Microsoft released the new patches so fast, as this way users can be sure they are protected should any malicious actor try to exploit the two vulnerabilities.
Needless to say, all users are recommended to install the latest patches as soon as possible on all their devices.
Microsoft Corporation, Microsoft Windows, Visual Studio Code, Patch, Arbitrary code execution, Patch Tuesday, Computer security
World news – GB – Microsoft Releases Emergency Patches to Resolve Two RCE Flaws