Microsoft Released Out-of-Band Fixes For Two Remote Code Execution Bugs

With monthly scheduled updates for October, Microsoft rolled out fixes for 87 different vulnerabilities, including some publicly known exploits. Days after that, Microsoft fixed two more serious security bugs allowing remote code execution attacks.

Microsoft Fixed Two Remote Code Execution Bugs

Recently, Microsoft has released fixes a couple of serious remote code execution bugs affecting two different products.

The first of these, CVE-2020-17022, existed in the Windows Codecs Library. The flaw specifically existed in the way the product handled objects in memory.

Regarding this bug, Microsoft stated in the advisory,

An attacker who successfully exploited the vulnerability could execute arbitrary code.
Exploitation of the vulnerability requires that a program process a specially crafted image file.

This vulnerability achieved a CVSS score of 7.8, and it affected all versions of Windows 10 version 1709 and later.

The second vulnerability, CVE-2020-17023, affected the Microsoft Visual Studio Code. Due to a flaw in the way Visual Code Studio handled JSON files, it became possible for an attacker to trigger the bug via maliciously crafted ‘package.json’ file.

As described in Microsoft’s advisory,

To exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious ‘package.json’ file.

After that, the attacker could gain access to the target system in the context of the current user. In case the victim had administrative privileges, the attacker would also achieve admin access, and consequently, full control of the system.

This vulnerability has also received a CVSS base score of 7.8.

Update Asap

Microsoft has confirmed no previous disclosure or active exploitation of the bugs. However, given the serious nature of the flaws and that the fixes are out, users must ensure updating their systems at the earliest.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients