Microsoft has now published two out-of-the-box security updates to address security issues in the Windows Codecs library and the Visual Studio Code application.
The two updates are late in coming as the company released its monthly batch of security updates earlier this week, on Tuesday, tackling 87 vulnerabilities this month.
Both new vulnerabilities are “code implementations”; that allow attackers to execute code on the affected systems.
The weakness of the Windows Codecs Library
The first bug was tracked as CVE-2020-17022. Microsoft claims that attackers may create malicious images that, when processed by an app running on top of Windows, may allow the attacker to execute code on an unsecured Windows OS.
All versions of Windows 10 are affected.
Microsoft says an update for this library will be automatically installed on user systems through the Microsoft Store.
Not all users are affected, but only those that optionally install HEVC or “HEVC from Device Manufacturer” media codecs from the Microsoft Store.
HEVC is not available for offline distribution and is only available through the Microsoft Store. Windows Server library is also not supported.
To check and see if you are using a weak HEVC codec, users can go Settings, Apps and Features, and select HEVC, Advanced Options. Secure versions are 1.0.32762.0, 1.0.32763.0, and later.
The weakness of Visual Studio Code
The second bug is being tracked as CVE-2020-17023. Microsoft claims that hackers can create malicious package.json files that, when loaded into Visual Studio Code, can execute malicious code.
Depending on the user’s permissions, an attacker’s code can exercise administrator privileges and allow them to fully control an infected host.
Visual Studio Code users are advised to update the app as soon as possible to the latest version.