Microsoft Issues Out-of-Band Updates to Correct Two RCE Flaws

On Friday, Microsoft issued out-of-band patches to correct two flaws which could potentially lead to remote code execution. The flaws have been rated ‘important’ by Microsoft, although they could potentially be exploited by an attacker to gain full control of a vulnerable system.

One of the flaws – tracked as CVE-2020-17023 – affects Microsoft’s Visual Studio Core, a source code editor for Windows, Linux, and macOS. If exploited, an attacker could run arbitrary code in the context of the current user. In order to exploit the flaw an attacker would need to convince a user to clone a repository and open it in Visual Studio Code. When the package.json file is opened, the attacker’s malicious code would be executed. Social engineering techniques could be used to convince the user to take those actions.

If the user is logged in as an administrator, the attacker would gain full administrative rights to the affected system and could view, change, delete, or exfiltrate data, install new programs, or create new accounts with full admin rights. The vulnerability has been assigned a CVSS v3 base score of 7.8 out of 10. The patch changes the way Visual Studio Code handles JSON files.

The second flaw – tracked as CVE-2020-17022 – concerns the Microsoft Windows Codec Library and is due to how the codecs library handles objects in the memory. Exploitation of the vulnerability could similarly lead to the execution of arbitrary code but would require the use of a program to process a specially crafted image file.

The flaw only affects users who have installed the “HEVC” or “HEVC from Device Manufacturer” media codecs from the Microsoft Store. The vulnerability has been assigned a CVSS v3 base score of 7.8 out of 10. The patch changes the way the Codecs Library handles objects in the memory.

While out-of-band updates were released, Microsoft is unaware of any cases of exploitation of either flaw in the wild.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of