On Friday, the US’ CISA issued an advisory for two Microsoft vulnerabilities not addressed in last week’s Patch Tuesday update.
Rody Quinlan, Security Response Manager at Tenable has offered the following perspective:
“On Friday, October 16, the Cybersecurity & Infrastructure Security Agency (CISA) released an advisory in response to Microsoft’s out-of-band patches for CVE-2020-17022 and CVE-2020-17023, both with a CVSS of 7.8 and highlighted as “important” by Microsoft. The former is a remote code execution (RCE) vulnerability in the Microsoft Windows Codecs Library given how it handles objects in memory, specifically versions prior to 1.0.32762.0 or 1.0.32763.0 of the High-Efficiency Video Coding (HVEC) video codecs. The latter is an RCE vulnerability in Visual Studio Code that can be triggered by the opening of a malicious “package.json” file. This vulnerability stems from an unsuccessful patch for CVE-2020-16881 released as part of Microsoft’s regular Patch Tuesday updates in September.
While these are RCEs, both require a degree of social engineering to exploit. In the case of CVE-2020-17022, a threat actor would need to convince a victim to use a program to process a maliciously crafted image file. For CVE-2020-17023, a threat actor must convince a victim to clone a repository, with a malicious “package.json” and open it in Visual Studio Code. Exploitation of either vulnerability results in the execution of arbitrary code on the target system.
Microsoft does not commonly release out-of-band patches. However, in the case of CVE-2020-17022, Microsoft notes that, “These updates are for optional apps/components that are offered to customers as a download via the Microsoft Store,” hence the OOB patching approach. Microsoft also notes for CVE-2020-17022 that, “Affected customers will be automatically updated by Microsoft Store.” With CVE-2020-17023 requiring an update to be applied, coupled with an out-of-band advisory, we encourage administrators to patch quickly, despite this vulnerability requiring some level of user-interaction to exploit. While Microsoft highlights there has been no exploitation observed in the wild the follow up of the CISA advisory suggests that administrators should review the patches and apply the updates if necessary.”