Microsoft and Adobe released out-of-band security updates for Visual Studio Code, the Windows Codecs Library, and Magento.
All the updates fix vulnerabilities that could be exploited for remote code execution, but the good news is that none of them are being actively exploited by attackers (yet!).
“To exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious ‘package.json’ file,” Microsoft explained.
If the target uses an account with administrative privileges, the attacker can take complete control of the affected system.
Microsoft has also fixed a RCE (CVE-2020-17022) in the way that Microsoft Windows Codecs Library handles objects in memory, which could be triggered by a program processing a specially crafted image file.
It only affects Windows 10 users, and only if they installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store.
“Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” the company noted, and explained that “servicing for store apps/components does not follow the monthly ‘Update Tuesday’ cadence, but are offered whenever necessary.”
Among the plugged security holes are two critical ones:
- CVE-2020-24407 – a file upload allow list bypass that could be exploited to achieve code execution
- CVE-2020-24400 – an SQL injection that could allow for arbitrary read or write access to database