Microsoft addresses RCE bugs in Windows Codecs Library and Visual Studio Code

CISA is advising users and admins to patch their systems as soon as possible

Microsoft has released out-of-band patches to address two serious remote code execution (RCE) bugs, which, if exploited, could enable attackers to remotely execute arbitrary code on vulnerable Windows systems and steal sensitive information.

These emergency patches have come within days of Microsoft's October 2020 Patch Tuesday update, which addressed a total of 87 security vulnerabilities across 12 products.

The first of the two new bugs, indexed as CVE-2020-17022, exists in the Microsoft Windows Codecs Library. It stems from the way in which the Codecs Library handles objects in memory. To exploit the bug, an attacker would first need a programme to process a specially crafted image file.

The second flaw, indexed as CVE-2020-17023, impacts Microsoft's Visual Studio Code - Microsoft's free source-code editor for Windows, macOS and Linux. To exploit the bug, an attacker would first need to trick a user into cloning a repository, and open it in Visual Studio Code. The malicious code will execute as the target opens the malicious 'package.json' file.

After exploiting the flaw, the attacker can run arbitrary code in the context of the current user. If the user is logged on with admin privileges, an attacker can take control of the target system to create new accounts, install malicious programmes, or view, modify and delete data.

The US Cybersecurity and Infrastructure Security Agency (CISA) advised users and admins to apply appropriate patches on their systems to prevent attackers from stealing sensitive information from their systems.

These security updates from Microsoft have come as a security researcher warned last week that cyber actors are trying to exploit the critical Zerologon vulnerability, to deploy backdoors in servers that store credentials for each user and admin account on a network.

Zerologon, indexed as CVE-2020-1472, is an elevation-of-privilege bug in Netlogon Remote Protocol (MS-NRPC), which is used to authenticate users against domain controllers. The vulnerability arises due to a flaw in cryptographic algorithm used in the Netlogon authentication process. This flaw lets an attacker to impersonate any computer and run remote procedure calls on their behalf.

Last week, Kevin Beaumont, an independent security researcher, revealed in a blog post that he recently deployed honeypots to find out how hackers were attacking Zerologon bug in the wild. Beaumont says attackers used a powershell script to modify an admin password in his honeypot server that was not patched against the vulnerability and also deployed a backdoor in it.

Attacker's commands took just a few second to complete, he said, enabling them to install the server and gain remote admin access to devices within the network.

Also last week, the UK National Cyber Security Centre (NCSC) published an alert to warn organisations of a new RCE bug affecting Microsoft SharePoint. Indexed as CVE2020-16952, this bug could allow attackers to run an arbitrary code on affected installations of SharePoint server and to carry out security actions in the context of the local administrator.

The NCSC advised users and admin to apply appropriate security updates in their affected SharePoint products to protect their sensitive data from hackers.