News

Microsoft Issues Out-of-Band Security Patches for the Window Codec Library and Visual Studio Code

• By Kurt Mackie
• 10/19/2020

Microsoft issued two "out-of-band" security updates late last week.

The two security bulletins, noted in a Friday post by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), were released outside Microsoft's usual "update Tuesday" security patch-release cycle. Microsoft's October security bundle had arrived on Oct. 13 (the second Tuesday of the month).

Additionally, a security solutions firm this week found that most phishing attacks are trying to fool end users by spoofing the Microsoft brand.

Two Important Vulnerabilities
The two out-of-band security patches are just rated "Important" by Microsoft, although they both have a Common Vulnerability Scoring System score of 7.8 (Base) out of 10. One of them (CVE-2020-17022) is a remote code execution vulnerability in the Windows Codec Library. The other (CVE-2020-17023) is a remote code execution vulnerability in Visual Studio Code.

Not everyone is subject to the Windows Codec Library vulnerability. It only affects users who have installed an optional High-Efficiency Videocoding (HEVC, also known as "H.265") codec from a device maker from the Microsoft Store. The vulnerability just pertains to Windows 10 users and could get triggered when a "specially crafted image file" is processed, permitting the execution of arbitrary code by an attacker.

The Microsoft Store will automatically deliver a fix for the CVE-2020-17022 vulnerability, so there are no actions to take. The issue can be verified as secure versions of the Windows Codec Library are "1.0.32762.0, 1.0.32763.0, and later."

The second vulnerability (CVE-2020-17023) requires tricking a Visual Studio Code user to click on a "malicious "package.json" file, which could enable an attacker to run "arbitrary code in the context of the current user." The attack involves additional trickery, as well. The end user needs to "clone a repository and open it in Visual Studio Code." The out-of-band patch will change how JSON files get handled by Visual Studio Code, which will fix the issue, Microsoft explained.

Most Imitated in Phishing Attacks
If that weren't enough on the security front, Microsoft gained the dubious distinction of being the "most imitated" company used for phishing attacks. Security solutions firm Check Point announced that conclusion this week, based on its third quarter analysis.

The overall top brands used in phishing attacks in Q3 were as follows, per Check Point:

1. Microsoft (related to 19% of all brand phishing attempts globally)
2. DHL (9%)
3. Google (9%)
4. PayPal (6%)
5. Netflix (6%)
6. Facebook (5%)
7. Apple (5%)
8. Whatsapp (5%)
9. Amazon (4%)
10. Instagram (4%)

Microsoft topped the list when the phishing attempt was made using e-mails, as well as when the phishing attempt happened via a Web site. The aim of these phishing attacks is typically to steal user credentials.

The Microsoft brand gets used the most for these phishing attacks because of the work-from-home scenario that's common now during the COVID-19 pandemic. The phishing efforts typically try to get users to reset their Microsoft Office 365 credentials, explained Maya Horowitz, Check Point's director of threat intelligence and research. 

"As always, we encourage users to be cautious when divulging personal data and credentials to business applications, and to think twice before opening email attachments or links, especially emails that claim to be from companies, such as Microsoft or Google, who are most likely to be impersonated," Horowitz said in a released statement.