Microsoft releases emergency security updates for Windows and Visual Studio

Microsoft has announced two out of band security updates to address security concerns for the Windows Codec Library and the Visual Studio Code application. 

The two updates arrive as late arrivals after the company published its monthly batch of security updates earlier this week, on Tuesday, patching 87 vulnerabilities this month.

Both new vulnerabilities are "remote code execution" flaws, allowing attackers to execute code on impacted systems.

WINDOWS CODECS LIBRARY VULNERABILITY

The initial bug is traced as CVE-2020-17022. Microsoft states that attackers can create malicious images that, when made by an app working on top of Windows, can permit the attacker to affect code on an unpatched Windows OS.

All Windows 10 versions are affected. Microsoft stated an Update for this library would be automatically installed or fixed, on user systems via the Microsoft Store.

Not all users are affected, but only those who have installed the optional HEVC or "HEVC from Device Manufacturer" media codecs from Microsoft Store. HEVC is not ready for offline distribution and is only accessible via the Microsoft Store. The library is also not supported on Windows Server.

To review and recognise if you're using a vulnerable HEVC codec, users can go to Settings, Apps & Features, and select HEVC, Advanced Options. The secure versions are 1.0.32762.0, 1.0.32763.0, and later.

VISUAL STUDIO CODE VULNERABILITY

The second bug is traced as CVE-2020-17023. Microsoft claims that attackers can generate malicious package.json files that, when loaded in Visual Studio Code, can perform malicious code.

It depends on the user's acceptance, an attacker's system could execute with administrator privileges and provide them with full authority across an infected host.

Package.json files commonly practised with JavaScript libraries and projects, JavaScript, and particularly its server-side Node.js technology, are one of today's most modern and popular technologies.

Visual Studio Code users recommended updating the app as soon as possible to the latest version.