Microsoft has rushed out fixes for two security vulnerabilities affecting Microsoft Windows Codecs Library and Visual Studio Code. The security flaws are classified as Remote Code Execution (RCE) vulnerabilities and if successfully exploited could allow threat actors to take over an affected system.
Both vulnerabilities hold a score of 7.8 on the Common Vulnerability Scoring System (CVSS) scale and are rated as “important” by Microsoft. Importantly, there is no evidence that either has been under active exploitation.
Indexed as CVE-2020-17022, the security loophole in the Windows Codecs Library does not affect users running Windows 10 in its default configuration. Instead, only users who have installed the optional High Efficiency Video Coding (HEVC) or “HEVC from Device Manufacturer” media codecs and are running Windows 10 version 1709 or above could be vulnerable.
“Exploitation of the vulnerability requires that a program process a specially crafted image file,” Microsoft said, explaining the attack vector a cybercriminal could use. The flaw – for which there are no known mitigations or workarounds – has to do with how Windows Codecs Library handles objects in memory.
It's worth noting that instead of the usual Microsoft Update channel, the patch is being delivered via Microsoft Store. Since both HVEC versions are optional apps or components that are offered to customers via the Store, the updates are offered through the same channel.
“Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” said Microsoft. The company also offered this guidance for users who want to expedite the process or check if the updates have been implemented on their systems.
Meanwhile, the flaw in Visual Studio Code tracked as CVE-2020-17023 could be exploited if a user was duped into opening a malicious JSON file. As is the case with the previous vulnerability, there are no workarounds or mitigating factors. Users are, therefore, advised to apply the patch.
The United States Cybersecurity and Infrastructure Agency (CISA) urged people to make sure their systems are updated.
The security patches were released within days of Microsoft’s Patch Tuesday, which addressed 87 vulnerabilities, 12 of which were classified as critical on the CVSS scale. Out-of-band patch releases are usually reserved for unexpected, wide-ranging, or severe vulnerabilities.