Microsoft Fixes RCE Flaws in Out-of-Band Windows Update

  • The two essential-severity flaws in Microsoft Windows Codecs Library and Visual Studio Code could help distant code execution.

    Microsoft has issued out-of-band patches for two “important” severity vulnerabilities, which if exploited could allow for for remote code execution.

    Just one flaw (CVE-2020-17023) exists in Microsoft’s Visible Studio Code is a cost-free source-code editor designed by Microsoft for Windows, Linux and macOS. The other (CVE-2020-17022) is in the Microsoft Windows Codecs Library the codecs module provides stream and file interfaces for transcoding details in Windows packages.

    “Microsoft has released security updates to handle remote code execution vulnerabilities affecting Windows Codecs Library and Visible Studio Code,” in accordance to a Friday CISA notify on the patches. “An attacker could exploit these vulnerabilities to take management of an affected program.”

    In accordance to Microsoft, just one “important” severity flaw (CVE-2020-17022) stems from the way that Microsoft Windows Codecs Library handles objects in memory. This vulnerability has a CVSS score of 7.8 out of 10.

    An attacker who correctly exploited the vulnerability could execute arbitrary code, according to Microsoft. When an attacker could be distant to start the attack, exploitation involves that a program approach a specifically crafted image file.

    Only shoppers who have mounted the optional HEVC or “HEVC from Gadget Manufacturer” media codecs from Microsoft Store may be vulnerable. The protected Microsoft put in packed variations are 1..32762., 1..32763., and afterwards.

    “The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory,” in accordance to Microsoft.

    The other “important” severity flaw (which also has a CVSS score of 7.8 out of 10) exists in Visible Studio Code, when a person is tricked into opening a destructive ‘package.json’ file.

    According to Microsoft, an attacker who productively exploited this flaw (CVE-2020-17023) could run arbitrary code in the context of the current consumer. An attacker would to start with need to persuade a target to clone a repository and open up it in Visual Studio Code (by using social engineering or usually). The attacker’s malicious code would execute when the concentrate on opens the malicious ‘package.json’ file.

    “If the existing user is logged on with administrative consumer rights, an attacker could choose regulate of the affected program,” mentioned Microsoft. “An attacker could then install courses watch, improve, or delete data or make new accounts with entire user rights.”

    Microsoft’s update addresses the vulnerability by modifying the way Visual Studio Code handles JSON information.

    In a Twitter thread, Justin Steven, who noted the flaw, said that the issue stems from a bypass of a beforehand deployed patch for an RCE flaw in Visual Studio Code (CVE-2020-16881).

    Microsoft Visible Studio Code seems to have botched the fix for CVE-2020-16881, a “remote code execution” vulnerability concerning “destructive offer.json data files”. The patch can be trivially bypassed. A thread 🧵

    — GNU/JUSTIN (@justinsteven) October 2, 2020

    Neither flaw has been noticed being exploited in the wild in accordance to Microsoft. Microsoft also did not supply mitigations or workarounds for other flaws – but updates will be instantly put in for users.

    “Affected prospects will be mechanically current by Microsoft Retailer,” according to Microsoft. “Customers do not need to consider any motion to acquire the update.”

    The fixes come days following Microsoft’s Oct Patch Tuesday updates, throughout which it produced fixes for 87 security vulnerabilities, 11 of them critical – and one perhaps wormable.

    In the situation of these bugs, “servicing for keep applications/parts does not stick to the regular monthly ‘Update Tuesday’ cadence, but are provided anytime necessary,” according to Microsoft.