Microsoft Fixes RCE Flaws in Out-of-Band Windows Update

Microsoft Fixes RCE Flaws in Out-of-Band Windows Update

Microsoft has issued out-of-band patches for two “important” severity vulnerabilities, which if exploited could allow for remote code execution. One flaw (CVE-2020-17023) exists in Microsoft's Visual Studio Code is a free source-code editor made by Microsoft for Windows, Linux and macOS.

Microsoft has issued out-of-band patches for two “important” severity vulnerabilities, which if exploited could allow for remote code execution.

One flaw (CVE-2020-17023) exists in Microsoft’s Visual Studio Code is a free source-code editor made by Microsoft for Windows, Linux and macOS. The other (CVE-2020-17022) is in the Microsoft Windows Codecs Library; the codecs module provides stream and file interfaces for transcoding data in Windows programs.

“Microsoft has released security updates to address remote code execution vulnerabilities affecting Windows Codecs Library and Visual Studio Code,” according to a Friday CISA alert on the patches. “An attacker could exploit these vulnerabilities to take control of an affected system.”

According to Microsoft, one “important” severity flaw (CVE-2020-17022) stems from the way that Microsoft Windows Codecs Library handles objects in memory. This vulnerability has a CVSS score of 7.8 out of 10.

An attacker who successfully exploited the vulnerability could execute arbitrary code, according to Microsoft. While an attacker could be remote to launch the attack, exploitation requires that a program process a specially crafted image file.

Only customers who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store may be vulnerable. The secure Microsoft installed packed versions are 1.0.32762.0, 1.0.32763.0, and later.

“The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory,” according to Microsoft.

The other “important” severity flaw (which also has a CVSS score of 7.8 out of 10) exists in Visual Studio Code, when a user is tricked into opening a malicious ‘package.json’ file.

According to Microsoft, an attacker who successfully exploited this flaw (CVE-2020-17023) could run arbitrary code in the context of the current user. An attacker would first need to convince a target to clone a repository and open it in Visual Studio Code (via social engineering or otherwise). The attacker’s malicious code would execute when the target opens the malicious ‘package.json’ file.

“If the current user is logged on with administrative user rights, an attacker could take control of the affected system,” said Microsoft. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Microsoft’s update addresses the vulnerability by modifying the way Visual Studio Code handles JSON files.

In a Twitter thread, Justin Steven, who reported the flaw, said that the issue stems from a bypass of a previously deployed patch for an RCE flaw in Visual Studio Code (CVE-2020-16881).

hacks vulnerabilities web security cve-2020-17022 cve-2020-17023 microsoft microsoft store patch patch tuesday rce remote code execution visual studio code windows windows codecs library

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug

October 2020 Patch Tuesday: Microsoft fixes potentially wormable Windows TCP/IP RCE flaw. On this October 2020 Patch Tuesday: Microsoft has plugged 87 security holes, including critical ones in the Windows TCP/IP stack and Microsoft Outlook and Microsoft 365 Apps for Enterprise.

Citrix Bugs Allow Unauthenticated Code Injection, Data Theft

Admins should patch their Citrix ADC and Gateway installs immediately.

Microsoft’s Patch Tuesday Packed with Critical RCE Bugs

The most concerning of the disclosed bugs would allow an attacker to take over Microsoft Exchange just by sending an email.

Two 0-Days Under Active Attack, Among 120 Bugs Patched by Microsoft

One of the two zero-day bugs is rated ‘critical’ and is classified as a remote code-execution bug impacting Microsoft’s Internet Explorer.

Google’s Chrome 86: Critical Payments Bug, Password Checker Among Security Notables

Google is rolling out 35 security fixes, and a new password feature, in Chrome 86 versions for Windows, Mac, Android and iOS users. Google's Chrome 86: Critical Payments Bug, Password Checker Among Security Notables ... Google is rolling out 35 security fixes, and a new password feature, in Chrome 86 versions for Windows, Mac, Android and iOS ...