Microsoft has released two out-of-band fixes for Windows Codecs library and Visual Studio Code to address Remote Code Execution vulnerabilities in both platforms.
The Windows bug involved the HEVC Windows Codecs library and impacts all versions of Windows.
Detailed in CVE-2020-17022, Microsoft says attackers can craft malicious images that, when processed by an app running on top of Windows, can allow the attacker to execute code on an unpatched Windows OS.
Only those who installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store are affected and Microsoft is distributing the patch directly via the Microsoft Store.
To see if you have a vulnerable version installed, go to Settings, Apps & Features, and select HEVC, Advanced Options. Versions earlier than 1.0.32762.0, 1.0.32763.0 are insecure.
The other vulnerability affects Visual Studio Code.
Tracked under CVE-2020-17023, Microsoft says attackers can craft malicious package.json files that, when loaded in Visual Studio Code, can execute malicious code. If users are running as administrators the code will be executed with those privileges.
An updated version of Visual Studio Code is available and Microsoft recommends updating as soon as possible.