Microsoft addresses RCE bugs in Windows Codecs Library and Visual Studio Code

Microsoft addresses RCE bugs in Windows Codecs Library and Visual Studio Code

Microsoft addresses RCE bugs in Windows Codecs Library and Visual Studio Code



Microsoft has released out-of-band patches to address two serious remote code execution (RCE) bugs, which, if exploited, could enable attackers to remotely execute arbitrary code on vulnerable Windows systems and steal sensitive information.


These emergency patches have come within days of Microsoft's October 2020 Patch Tuesday update, which addressed a total of 87 security vulnerabilities across 12 products.

The first of the two new bugs, indexed as CVE-2020-17022, exists in the Microsoft Windows Codecs Library. It stems from the way in which the Codecs Library handles objects in memory. To exploit the bug, an attacker would first need a programme to process a specially crafted image file.


The second flaw, indexed as CVE-2020-17023, impacts Microsoft's Visual Studio Code - Microsoft's free source-code editor for Windows, macOS and Linux. To exploit the bug, an attacker would first need to trick a user into cloning a repository, and open it in Visual Studio Code. The malicious code will execute as the target opens the malicious 'package.json' file.


After exploiting the flaw, the attacker can run arbitrary code in the context of the current user. If the user is logged on with admin privileges, an attacker can take control of the target system to create new accounts, install malicious programmes, or view, modify and delete data.


The US Cybersecurity and Infrastructure Security Agency (CISA) microsoft addresses windows codecs library visual studio