Two out-of-band security updates addressing the CVE-2020-17022 and CVE-2020-17023 vulnerabilities were just released.

The two flaws could trigger remote code execution in Microsoft Windows Codecs Library and Visual Studio Code. As both flaws are rated as important in severity, you should consider applying the patches immediately.


CVE-2020-17022 is a remote code execution vulnerability that exists in how Microsoft Windows Codecs Library handles objects in memory. The vulnerability is also known as “Microsoft Windows Codecs Library Remote Code Execution Vulnerability,” as per the official CVE advisory. The bug was reported to Microsoft by FireEye researcher Dhanesh Kizhakkinan.

According to Microsoft, an attacker who successfully exploited the vulnerability could execute arbitrary code on a vulnerable system. For the exploitation to be successful, the attacker needs a program that processes a specially crafted image file.

The out-of-band update fixes the security issue by correcting how Microsoft Windows Codecs Library handles objects in memory.

Which Windows versions are affected by this RCE bug?
Windows 10, version 1709 or later, and a vulnerable library version.
It should be noted that Windows 10 devices are not affected in their default configuration. “Only customers who have installed the optional HEVC or ‘HEVC from Device Manufacturer’ media codecs from Microsoft Store may be vulnerable.”

“Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” Microsoft says.


This vulnerability exists in Visual Studio Code. It is triggered when a user is tricked into opening a malicious package.json file. In case of a successful exploit, an attacker could run arbitrary code in the current user’s context, Microsoft says. If the current user is logged in with administrative rights, the attacker could take over the system and perform various malicious actions with full user rights.

How can CVE-2020-17023 be exploited?
The attacker needs to trick the targeted user into cloning a repository and opening it in Visual Studio Code. “Attacker-specified code would execute when the target opens the malicious ‘package.json’ file,” Microsoft’s advisory adds.

The update addressed the flaw by modifying the way Visual Studio Code handles JSON files.
The CVE-2020-17023 security flaw was reported to Microsoft by Justin Steven.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!
Follow Milena @Milenyim

More Posts

Follow Me:

Source link

Is your business effected by Cyber Crime?

If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.

Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7.

Europe +31558448040
UK +44 20 8089 9944
ASIA +85239733884