Magento, Visual Studio Code users: You need to patch!

Microsoft and Adobe released out-of-band security updates for Visual Studio Code, the Windows Codecs Library, and Magento.

Visual Studio Code security

All the updates fix vulnerabilities that could be exploited for remote code execution, but the good news is that none of them are being actively exploited by attackers (yet!).

Microsoft’s updates

Microsoft has fixed CVE-2020-17023, a remote code execution vulnerability in Visual Studio Code, its free and extremely popular source-code editor that’s available for Windows, macOS and Linux.

“To exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious ‘package.json’ file,” Microsoft explained.

If the target uses an account with administrative privileges, the attacker can take complete control of the affected system.

The vulnerability, discovered by Justin Steven, stems from a botched fix for a previously addressed RCE flaw (CVE-2020-16881).

Microsoft has also fixed a RCE (CVE-2020-17022) in the way that Microsoft Windows Codecs Library handles objects in memory, which could be triggered by a program processing a specially crafted image file.

It only affects Windows 10 users, and only if they installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store.

“Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” the company noted, and explained that “servicing for store apps/components does not follow the monthly ‘Update Tuesday’ cadence, but are offered whenever necessary.”

Adobe’s updates

After fixing just one Adobe Flash Player flaw on October 2020 Patch Tuesday, Adobe has followed up with security updates for several Magento Commerce and Magento Open Source versions.

The updates carry patches for nine vulnerabilities, most of which are exploitable without credentials. Just one of those – CVE-2020-24408, a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component – is exploitable by an attacker that has no administrative privileges.

Among the plugged security holes are two critical ones:

  • CVE-2020-24407 – a file upload allow list bypass that could be exploited to achieve code execution
  • CVE-2020-24400 – an SQL injection that could allow for arbitrary read or write access to database

Don't miss