Microsoft today released two out-of-band security updates to address vulnerabilities in the Windows Codecs library and the Visual Studio Code application.
The two updates come as late arrivals after the company released its monthly batch of security updates earlier this week, Tuesday, and patched 87 vulnerabilities this month.
Both new vulnerabilities are “remote code execution”
Windows Codecs Library Vulnerability
The first error is detected as CVE-2020-17022. Microsoft says attackers can produce malicious images that, when processed by an app running on top of Windows, could allow an attacker to execute code on an unpatched Windows OS.
All versions of Windows 10 are affected.
Microsoft said that an update to this directory was automatically installed on user systems through the Microsoft Store.
Not all users are affected, but only those who have installed optional HEVC or “HEVC from device manufacturer” media codecs from the Microsoft Store.
HEVC is not available for offline distribution and is only available through the Microsoft Store. The library is also not supported on Windows Server.
To check and see if you are using a vulnerable HEVC codec, users can go to Settings, apps and featuresand select HEVC, Advanced Settings. The secure versions are 1.0.32762.0, 1.0.32763.0 and later.
Visual Studio Code Vulnerability
The second error is tracked as CVE-2020-17023. Microsoft says that attackers can produce malicious package.json files that, when loaded into Visual Studio Code, can execute malicious code.
Depending on the user’s permissions, an attacker’s code can be executed with administrator privileges and give them full control over an infected host.
Visual Studio Code users are advised to update the app as soon as possible to the latest version.