Security is one of the fundamental pillars for Microsoft in Windows 10. Since the operating system was released, the Redmond made several changes in terms of how to update their software. This way, instead of waiting until the second Tuesday of each month, important security updates would be released as soon as they were available.
On this occasion, Microsoft has been forced to launch respective updates for Windows 10 and Visual Studio, with the aim of mitigating two serious vulnerabilities. This update comes a few days after they released the last cumulative, which ended 87 vulnerabilities present in the world’s most widely used operating system.
The hole in Windows 10 was caused by the HEVC codec
The first error is listed as CVE-2020-17022, and affects all versions of Windows 10. Microsoft indicates that attackers can use image files which, when opened by a Windows application, can allow the attacker to remotely execute code on an unpatched Windows system. Specifically, affects images that use the HEVC codec.
The update in question will not arrive through Windows Update, but will be made through the Microsoft Store. The store will update the “device manufacturer’s HEVC” application, so only those who use this codec are affected. As this is a Store app, Windows Server editions are not affected.
To check if our system is affected, we have to go to Settings> Applications and features, select HEVC and click on Advanced options. The versions that have the patch are 1.0.32762.0, 1.0.32763.0 and later.
Running malicious code in Visual Studio
The second major vulnerability, labeled CVE-2020-17023, is in Visual Studio. Microsoft indicates that attackers can insert malicious code into package.json files which, when loaded into Visual Studio, can run this code to infect the computer with any type of malware.