Microsoft has released two out-of-band security updates designed to address remote code execution (RCE) bugs found to affect the Microsoft Windows Codecs Library and Visual Studio Code.
The two vulnerabilities are tracked as CVE-2020-17022 and CVE-2020-17023, both of them being rated as important severity and marked as not being exploited in the wild.
CVE-2020-17022 was reported to Microsoft by Dhanesh Kizhakkinan of FireEye Inc, while CVE-2020-17023 was reported by Justin Steven.
Only Windows 10 client platforms affected
The 'CVE-2020-17022 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability' affects all devices running Windows 10, version 1709 or later, and a vulnerable library version.
The vulnerability is caused by the way that the Microsoft Windows Codecs Library handles objects in memory and successful exploitation requires a program to process a specially crafted image file.
Microsoft says that Windows 10 devices are not vulnerable in their default configuration and that "only customers who have installed the optional HEVC or 'HEVC from Device Manufacturer' media codecs from Microsoft Store may be vulnerable."
Going into Settings > Apps & Features, and selecting HEVC, Advanced Options allows you to check if the codecs have been updated — secure versions are 1.0.32762.0, 1.0.32763.0, and later.
Microsoft patched two similar RCE bugs in June, leading to user confusion because of the ways the security updates were being delivered — via the Microsoft Store instead of the normal Windows Update channel.
The 'CVE-2020-17023 | Visual Studio JSON Remote Code Execution Vulnerability' is triggered when users open a maliciously crafted 'package.json' file and it allows attackers to remotely execute code in the context of the currently logged-on user.
If the user has administrative rights, successful exploitation also enables attackers to create rogue admin accounts on compromised Windows devices.
CVE-2020-17023 is actually a security update bypass for CVE-2020-16881, another Visual Studio Code RCE bug Microsoft attempted to fix on September 8th as Steven told BleepingComputer.
More info on how the vulnerability works can be found in the Twitter thread embedded below.
Microsoft Visual Studio Code seems to have botched the fix for CVE-2020-16881, a "remote code execution" vulnerability regarding "malicious package.json files". The patch can be trivially bypassed. A thread
— GNU/JUSTIN (@justinsteven) October 2, 2020
No mitigation available, updates will install automatically
Microsoft says that it has not identified any mitigating measures or workarounds for the two vulnerabilities.
Affected customers don't have to take any action to secure their computers against CVE-2020-17022 since the security update will be automatically delivered to all impacted devices via the Microsoft Store unless automatic updating for Microsoft Store apps is disabled.
"Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here," Microsoft explains.
BleepingComputer has reached out to Microsoft for more details but had not heard back at the time of this publication.
Update October 16, 17:00 EDT: Added more info on CVE-2020-17023.
Comments
cafejose - 4 years ago
I have no idea what any of this means. Would someone explain it so that a commoner type person can understand and know what to do, how to check?
serghei - 4 years ago
You don’t need to worry about CVE-2020-17022 if you haven’t installed the “HEVC Video Extensions from Device Manufacturer" media codecs from the Microsoft Store.
It is a paid app ($0.99), so you’d probably remember if you did get it.
If you did and you have Microsoft Store app auto-updates on, you’ll get the update automatically (check manually for updates in the Store if you’re not sure).
To check if the HEVC media codecs have been patched on your computer you have to go to Windows Settings > Apps & Features and select ‘HEVC, Advanced Options’ — secure versions are 1.0.32762.0, 1.0.32763.0, and later.