Categories: SecurityWorkspace

Microsoft Issues Two Emergency Windows Patches

Microsoft has published two emergency patches for vulnerabilities that could allow attackers to execute malicious code and take over a Windows system.

The patches arrived days after Microsoft issued its monthly round of patches last week, fixing 87 vulnerabilities, 11 of them critical.

They affect Microsoft’s Visual Studio Code source-code editor and the Windows Codecs Library, which provide interfaces for transcoding data in Windows programs.

The Windows Codecs Library flaw, identified as CVE-2020-17022, is caused by a bug in the way the library handles objects in memory, Microsoft said in an advisory.

Malicious code

“An attacker who successfully exploited the vulnerability could execute arbitrary code,” the company said.

The bug can be exploited by causing a program to process a malicious image file.

The update addresses the issue by changing the way the library handles objects in memory.

Users are affected only if they have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from the Microsoft Store.

Microsoft said a fix would be applied automatically via the Microsoft Store.

To check whether a system is vulnerable, users can check the HEVC version number installed on their system, with versions 1.0.32762.0, 1.0.32763.0 and later being secure.

HEVC is not supported on Windows Server, Microsoft noted.

System takeover

The Visual Studio Code bug can be exploited if a user is tricked into opening a malicious ‘package.json’ file, Microsoft said.

A successful attack could allow the attacker to run malicious code in the context of the current user.

If the user were logged on with administrative user rights, an attacker could take complete control of the affected system.

The attacker would need to convince a target to clone a malicious repository and open it in Visual Studio Code, Microsoft said.

The update modifies the way Visual Studio Code handles JSON files.

Package.json files are used with JavaScript, one of the most widely used programming technologies.

Microsoft urged users to update the app as soon as possible to the most recent, secure version.

The company said it has not identified any mitigations or workarounds for either of the flaws.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago