Η Microsoft κυκλοφόρησε δύο ενημερωμένες εκδόσεις ασφαλείας εκτός προγραμματισμού για την αντιμετώπιση ζητημάτων ασφαλείας στη βιβλιοθήκη Windows Codecs και στην εφαρμογή Visual Studio Code.
The two updates come after the monthly release of security updates last Tuesday, which corrected 87 vulnerabilities.
Both new vulnerabilities allow remote code execution.
The first error has been documented as CVE-2020-17022 and Microsoft reports that attackers can create malicious images that when submitted to processing από μια εφαρμογή των Windows, μπορούν να επιτρέψουν στον εισβολέα να τρέξει κώδικα στο λειτουργικό system of Windows.
All versions of Windows 10 are affected.
Microsoft has indicated that an update to this library will be automatically installed on users' systems via Microsoft Store.
Not all users are affected, but only those who have installed the optional HEVC or "HEVC from Device Manufacturer" media encoders from the Microsoft Store.
HEVC is only available through the Microsoft Store. This library is also not supported on Windows Server.
To check and see if you are using a vulnerable HEVC encoder, you can look in Settings, Applications and Features. Select HEVC, Advanced Options. Secure versions are 1.0.32762.0, 1.0.32763.0 or later.
The second error has been documented as CVE-2020-17023 και η Microsoft αναφέρει ότι οι εισβολείς μπορούν να δημιουργήσουν κακόβουλα αρχεία package.json τα οποία, όταν φορτώνονται στο Visual Studio Code, μπορούν να τρέξουν malicious code.
Depending on the rights of the user, the intruder code could run with administrator privileges and allow it to have full control over an infected host.
Package.json files are regularly used with libraries and JavaScript projects. JavaScript, and especially Node.js server-side technology, is one of the most popular technologies today.
Of course, Visual Studio Code users are advised to update the application to the latest version as soon as possible.