Microsoft has issued two out-of-band security updates to fix remote execution flaws in Windows Codecs Library and Visual Studio Code application.
The first vulnerability, tracked as CVE-2020-17022, resides in Windows Codecs Library and affects all devices running Windows 10, version 1709 or later, and a vulnerable library version.
The flaw exists due to the way Microsoft Windows Codecs Library handles objects in memory. An attacker can exploit this vulnerability to execute arbitrary code with the help of a malicious image file.
Microsoft explains that the vulnerability only affects users who have installed the optional HEVC or "HEVC from Device Manufacturer" media codecs from Microsoft Store. The secure versions are 1.0.32762.0, 1.0.32763.0, and later.
The second bug (CVE-2020-17023) affects the Visual Studio Code application.
“The vulnerability exists when a user is tricked into opening a malicious 'package.json' file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said.
The successful exploitation requires a hacker convincing a victim to clone a repository and open it in Visual Studio Code. The malicious code would execute when the user opens the malicious 'package.json' file.
Microsoft did not provide any workarounds for above mentioned vulnerabilities.