A hot potato: Microsoft has released security updates for just-discovered Codecs Library and Visual Studio exploits. The Codecs Library exploit tagged CVE-2020-17022 is reported to have a vulnerability that allows attackers to take over a system. The ploy works by tricking users into loading modified image files via native apps. An attack targeting memory relay protocols is then launched to take control of the system.
Microsoft has asked users who have installed High Efficiency Video Coding (HEVC) to allow system updates via Microsoft Store to resolve the issue. Microsoft customers can confirm the update by going to Settings, Apps & Features options, and then selecting HEVC. The version on the system can be viewed by clicking on Advanced Options. Only versions 1.0.32762.0 and 1.0.32763.0, and later, are safe. The vulnerability notably affects all Windows 10 versions.
On to the second update, the Visual Studio Code vulnerability labeled CVE-2020-17023 allows bad actors to gain access to a computer. Hackers are able to take control of a system by convincing users to view a malicious JSON file. Once loaded using Visual Studio, the malicious code deploys, giving the intruder administrator access.
The CVE-2020-17022 and CVE-2020-17023 updates come on the heels of the elaborate October 2020 Patch. It covered 87 security issues affecting 12 key system features, which included Microsoft Visual Studio, Exchange Server, JET Database Engine, MS Office, NET Framework, and Web Apps.
The Visual Studio Code vulnerability labeled CVE-2020-17023 allows bad actors to gain access to a computer.
The CVE-2020-16947 update contained in the October Patch was among the most notable. In some cases, it allowed hackers to take over an infected machine without the victim clicking on a trigger file. All a user had to do was view a compromised email attachment using a vulnerable Microsoft Outlook version in the preview pane, and the infection process would begin.
User accounts with limited administrative rights were found to be less affected compared to those with administrator privileges.
As pertaining to the most recent Windows Codecs Library and Visual Studio Code patches, the US Cybersecurity and Infrastructure Security Agency (CISA) agency has asked Windows users to install the updates promptly to thwart attacks.