Microsoft publishes out-of-band patches for bugs in Visual Studio Code and Windows Codecs Library that could allow attackers to take over a system

Microsoft has published two emergency patches for vulnerabilities that could allow attackers to execute malicious code and take over a Windows system.

The patches arrived days after Microsoft issued its monthly round of patches last week, fixing 87 vulnerabilities, 11 of them critical.

They affect Microsoft’s Visual Studio Code source-code editor and the Windows Codecs Library, which provide interfaces for transcoding data in Windows programs.

The Windows Codecs Library flaw, identified as CVE-2020-17022, is caused by a bug in the way the library handles objects in memory, Microsoft said in an advisory.

Users are affected only if they have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from the Microsoft Store.

To check whether a system is vulnerable, users can check the HEVC version number installed on their system, with versions 1.0.32762.0, 1.0.32763.0 and later being secure.

The Visual Studio Code bug can be exploited if a user is tricked into opening a malicious ‘package.json’ file, Microsoft said.

A successful attack could allow the attacker to run malicious code in the context of the current user.

If the user were logged on with administrative user rights, an attacker could take complete control of the affected system.

The attacker would need to convince a target to clone a malicious repository and open it in Visual Studio Code, Microsoft said.

Microsoft urged users to update the app as soon as possible to the most recent, secure version.

The company said it has not identified any mitigations or workarounds for either of the flaws.

Save my name, email, and website in this browser for the next time I comment.

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Brand Discovery offers Advertisers the opportunity to speak directly to our professional communities. It’s an ad format that blends in with the editorial content and overall page design giving non-intrusive, flowing advertising experience. Readers can easily identify their provenance with the “Brand Discovery” mention. For any further information, contact us at the following address: [email protected]

Source: https://www.silicon.co.uk/workspace/microsoft-emergency-patches-348411

Microsoft Corporation, Microsoft Windows, Visual Studio Code, Arbitrary code execution, Patch

World news – GB – Microsoft Issues Two Emergency Windows Patches | Silicon UK

En s’appuyant sur ses expertises dans les domaines du digital, des technologies et des process , CSS Engineering vous accompagne dans vos chantiers de transformation les plus ambitieux et vous aide Ă  faire Ă©merger de nouvelles idĂ©es, de nouvelles offres, de nouveaux modes de collaboration, de nouvelles maniĂšres de produire et de vendre.

CSS Engineering s’implique dans les projets de chaque client comme si c’était les siens. Nous croyons qu’une sociĂ©tĂ© de conseil devrait ĂȘtre plus que d’un conseiller. Nous nous mettons Ă  la place de nos clients, pour aligner nos incitations Ă  leurs objectifs, et collaborer pour dĂ©bloquer le plein potentiel de leur entreprise. Cela Ă©tablit des relations profondes et agrĂ©ables.

Nos services:

  1. Création des sites web professionnels
  2. Hébergement web haute performance et illimité
  3. Vente et installation des caméras de vidéo surveillance
  4. Vente et installation des systĂšme de sĂ©curitĂ© et d’alarme
  5. E-Marketing

Toutes nos réalisations ici https://www.css-engineering.com/en/works/

LEAVE A REPLY

Please enter your comment!
Please enter your name here