HackDig : Dig high-quality web security articles for hackers

Microsoft issues out-of-band Windows security updates for RCE bugs

2020-10-16 16:00

Microsoft issues out-of-band Windows security updates for RCE bugs

Microsoft has released two out-of-band security updates designed to address remote code execution (RCE) bugs found to affect Visual Studio Code and the Microsoft Windows Codecs Library.

The two vulnerabilities are tracked as CVE-2020-17022 and CVE-2020-17023, both of them being rated as important severity and marked as not being exploited in the wild.

Only Windows 10 client platforms affected

The 'CVE-2020-17022 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability' affects all devices running Windows 10, version 1709 or later, and a vulnerable library version.

The vulnerability is caused by the way that the Microsoft Windows Codecs Library handles objects in memory and successful exploitation requires a program to process a specially crafted image file.

Microsoft says that Windows 10 devices are not vulnerable in their default configuration and that "only customers who have installed the optional HEVC or 'HEVC from Device Manufacturer' media codecs from Microsoft Store may be vulnerable."

Microsoft patched two similar RCE bugs in June, leading to user confusion because of the ways the security updates were being delivered — via the Microsoft Store instead of the normal Windows Update channel.

The 'CVE-2020-17023 | Visual Studio JSON Remote Code Execution Vulnerability' is triggered when users open a maliciously crafted 'package.json' file and it allows attackers to remotely execute code in the context of the currently logged-on user.

If the user has administrative rights, successful exploitation also enables attackers to create rogue admin accounts on compromised Windows devices.

No mitigation available, updates will install automatically

Microsoft says that it has not identified any mitigating measures or workarounds for the two vulnerabilities.

Affected customers don't have to take any action to secure their computers against CVE-2020-17022 since the security update will be automatically delivered to all impacted devices via the Microsoft Store unless automatic updating for Microsoft Store apps is disabled.

"Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here," Microsoft explains.

CVE-2020-17022 was reported to Microsoft by Dhanesh Kizhakkinan of FireEye Inc, while CVE-2020-17023 was reported by Justin Steven.

BleepingComputer has reached out to Microsoft and both researchers for more details but had not heard back at the time of this publication.


Source: setadpu-ytiruces-swodniw-dnab-fo-tuo-seussi-tfosorcim/ytiruces/swen/moc.retupmocgnipeelb.www

Read:94 | Comments:0 | Tags:Security Microsoft security

“Microsoft issues out-of-band Windows security updates for RCE bugs”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud