Microsoft issues two emergency Windows patches

Microsoft issues two emergency Windows patches

The flaws, neither of which is being actively exploited, were fixed merely days after the monthly Patch Tuesday rollout



Microsoft has rushed out fixes for two security vulnerabilities affecting Microsoft Windows Codecs Library and Visual Studio Code. The security flaws are classified as Remote Code Execution (RCE) vulnerabilities and if successfully exploited could allow threat actors to take over an affected system entirely.


Both vulnerabilities hold a score of 7.8 on the Common Vulnerability Scoring System (CVSS) scale and are considered “important” by Microsoft. There seems to be no evidence to suggest that either has been under active exploitation.


Indexed as CVE-2020-17022, the security loophole in the Windows Codecs Library does not affect users running Windows 10 in its default configuration. Instead, only users who have installed the optional High Efficiency Video Coding (HEVC) or “HEVC from Device Manufacturer” media codecs and are running Windows 10 version 1709 or above could be vulnerable.


“Exploitation of the vulnerability requires that a program process a specially crafted image file,” Microsoft said, explaining the attack vector a cybercriminal could use. The flaw – for which there are no known mitigations or workarounds – has to do with how Windows Codecs Library handles objects in memory.


It’s worth noting that instead of the usual Microsoft Update channel, the patch is being delivered via Microsoft Store. Since both HVEC versions are optional apps or components that are offered to customers via the Store, the updates are offered through the same channel.


“Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive t ..