The two flaws could trigger remote code execution in Microsoft Windows Codecs Library and Visual Studio Code. As both flaws are rated as important in severity, you should consider applying the patches immediately.
CVE-2020-17022 is a remote code execution vulnerability that exists in how Microsoft Windows Codecs Library handles objects in memory. The vulnerability is also known as “Microsoft Windows Codecs Library Remote Code Execution Vulnerability,” as per the official CVE advisory. The bug was reported to Microsoft by FireEye researcher Dhanesh Kizhakkinan.
According to Microsoft, an attacker who successfully exploited the vulnerability could execute arbitrary code on a vulnerable system. For the exploitation to be successful, the attacker needs a program that processes a specially crafted image file.
The out-of-band update fixes the security issue by correcting how Microsoft Windows Codecs Library handles objects in memory.
Which Windows versions are affected by this RCE bug?
Windows 10, version 1709 or later, and a vulnerable library version.
It should be noted that Windows 10 devices are not affected in their default configuration. “Only customers who have installed the optional HEVC or ‘HEVC from Device Manufacturer’ media codecs from Microsoft Store may be vulnerable.”
“Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” Microsoft says.
This vulnerability exists in Visual Studio Code. It is triggered when a user is tricked into opening a malicious package.json file. In case of a successful exploit, an attacker could run arbitrary code in the current user’s context, Microsoft says. If the current user is logged in with administrative rights, the attacker could take over the system and perform various malicious actions with full user rights.
How can CVE-2020-17023 be exploited?
The attacker needs to trick the targeted user into cloning a repository and opening it in Visual Studio Code. “Attacker-specified code would execute when the target opens the malicious ‘package.json’ file,” Microsoft’s advisory adds.
The update addressed the flaw by modifying the way Visual Studio Code handles JSON files.
The CVE-2020-17023 security flaw was reported to Microsoft by Justin Steven.