News

Out-of-Band Microsoft Patches Released for Remote Code Execution

• By Kurt Mackie
• 10/19/2020

Microsoft last week issued two "out-of-band" security updates outside of its traditional Patch Tuesday bundle, which arrived on Oct. 13 this month.

The two patches, noted in a Friday post by the U.S. Cybersecurity and Infrastructure Security Agency, both address remote code execution vulnerabilities -- one in the Windows Codec Library (CVE-2020-17022) and one in Visual Studio Code (CVE-2020-17023).

Not everyone is subject to the Windows Codec Library vulnerability. It only affects users who have installed an optional High-Efficiency Videocoding (HEVC, also known as "H.265") codec from a device maker from the Microsoft Store.

The vulnerability just pertains to Windows 10 users and could get triggered when a "specially crafted image file" is processed, permitting the execution of arbitrary code by an attacker.

The Microsoft Store will automatically deliver a fix for the CVE-2020-17022 vulnerability, so there are no actions to take. The issue can be verified as secure versions of the Windows Codec Library are "1.0.32762.0, 1.0.32763.0, and later."

The second vulnerability (CVE-2020-17023) requires tricking a Visual Studio Code user to click on a "malicious "package.json" file, which could enable an attacker to run "arbitrary code in the context of the current user." The attack involves additional trickery, as well. The end user needs to "clone a repository and open it in Visual Studio Code."

The out-of-band patch will change how JSON files get handled by Visual Studio Code, which will fix the issue, Microsoft explained.