Microsoft today released two security updates out of range to address security issues in the Windows Codecs library and the Visual Studio Code application.
The two updates come as late arrivals after the company released its monthly batch of security updates earlier this week on Tuesday, fixing 87 vulnerabilities this month.
Both new vulnerabilities are shortcomings of “remote code execution”
Windows Codecs Library Vulnerability
The first error is traced as CVE-2020-17022. Microsoft says attackers can create malicious images that, when processed by an application running on top of Windows, could allow an attacker to execute code on a broken Windows OS.
All versions of Windows 10 are affected.
Microsoft said an update for this library will be automatically installed on user systems through the Microsoft Store.
Not all users are affected, but only those who have installed the optional HEVC or “Device Manufacturer HEVC” media codecs from the Microsoft Store.
HEVC is not available for offline distribution and is only available through the Microsoft Store. The library is also not supported on Windows Server.
To check and see if you are using a vulnerable HEVC codec, users can go to Settings, applications and functionsand select HEVC, Advanced Options. Protected versions are 1.0.32762.0, 1.0.32763.0 and later.
Visual Studio Code vulnerability
The second error is traced as CVE-2020-17023. Microsoft says attackers can create malicious package.json files, which can execute malicious code when loaded into Visual Studio Code.
Depending on the user’s permissions, the attacker’s code can be executed with administrative privileges and allow them full control over the infected host.
Visual Studio Code users are advised to update the application to the latest version as soon as possible.