Last week, Microsoft released the Patch Tuesday Update for October 2020. For the first time in seven consecutive months it fixed less than 100 vulnerabilities, 87 to be precise. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has taken note of the entire list of fixed vulnerabilities, and on Friday issued an advisory for enterprises’ specifically asking them to apply required patches for the two Microsoft vulnerabilities – RCE Windows Codecs and Visual Studio Code – in last week’s Patch Tuesday update.
The two CVEs, CVE-2020-17022 and CVE-2020-17023, had a CVSS rating of 7.8 and were highlighted as “important” by Microsoft. Talking about the severity of the vulnerabilities disclosed, Tenable’s Security Response Manager, Rody Quinlan, said, “The former is a remote code execution (RCE) vulnerability in the Microsoft Windows Codecs Library given how it handles objects in memory, specifically versions prior to 1.0.32762.0 or 1.0.32763.0 of the High-Efficiency Video Coding (HVEC) video codecs. However, the latter is an RCE vulnerability in Visual Studio Code that can be triggered by the opening of a malicious “package.json” file. This vulnerability stems from an unsuccessful patch for CVE-2020-16881 released as part of Microsoft’s regular Patch Tuesday updates in September.”
Quinlan also explained that although these are RCEs, both require a degree of social engineering to exploit. In the case of CVE-2020-17022, a threat actor would need to convince a victim to use a program to process a maliciously crafted image file. For CVE-2020-17023, a threat actor must convince a victim to clone a repository, with a malicious “package.json” and open it in Visual Studio Code. But there is one similarity between the two. If exploited successfully, either of the vulnerability results in the execution of arbitrary code on the target system.
Microsoft does not commonly release out-of-band (OOB) patches. However, in the case of CVE-2020-17022, Microsoft notes, “These updates are for optional apps/components that are offered to customers as a download via the Microsoft Store,” hence the OOB patching approach. For CVE-2020-17022, Microsoft notes, “Affected customers will be automatically updated by Microsoft Store.”
With CVE-2020-17023 requiring an update, coupled with an out-of-band advisory, both CISA and Quinlan have encouraged administrators to patch this vulnerability quickly. While Microsoft highlights that there has been no exploitation observed in the wild, the follow up of the CISA advisory suggests that administrators should review the patches and apply the updates if necessary.