October's "patch Tuesday", which fixed 87 bugs, has already passed, and now Microsoft developers have published two unscheduled fixes for vulnerabilities in the Windows Codecs Library and Visual Studio Code. Both bugs allow remote execution of arbitrary code on vulnerable systems.
The error in Windows Codecs Library has an identifier to CVE-2020-17022 and poses a threat to all versions of Windows 10. Microsoft engineers write that with its help attackers can create malicious images. If such an image were processed by an application running on top of Windows, an attacker could execute arbitrary code.
The bug does not affect all users, but only those who have installed additional HEVC or HEVC from Device Manufacturer codecs from the Microsoft Store.
The experts say the Windows Codecs Library will update automatically through the Microsoft Store, and users won't have to take any action.
In turn, the vulnerability in Visual Studio Code received the identifier CVE-2020-17023… This issue allows the creation of malicious package.json files that, when loaded by Visual Studio Code, would allow malicious code to execute.
The attacker's code can be executed with administrator privileges (depending on the rights of the current user), that is, the attacker will gain full control over the infected host.
Visual Studio Code users are encouraged to update their application to the latest version as soon as possible.