Security is a fundamental pillar of Microsoft under Windows 10. Since the operating system was released, the people of Redmond have made several changes in terms of updating their software. That way, instead of waiting for the second Tuesday of each month, important security updates would be released as soon as they become available.
On this occasion, Microsoft was forced to release updates for Windows 10 and Visual Studio, with the aim of mitigating two serious vulnerabilities. This update comes days after the release of the latest cumulative update, which ended 87 vulnerabilities in the world’s most widely used operating system.
Windows 10 hole was caused by HEVC codec
The first error is cataloged as CVE-2020-17022 and affects all versions of Windows 10. Microsoft reports that attackers can use image files which, when opened by a Windows application, can allow the attacker to s ‘remotely run code on an unpatched Windows system. Specifically, it affects images that use the HEVC codec.
The update in question will not arrive through Windows Update, but will be done through the Microsoft Store. The store will update the “Device Manufacturer HEVC” app, so only those who use this codec are affected. Because this is a Store app, Windows Server editions are not affected.
To check if our system is affected, we need to go to Settings> Apps & Features, select HEVC and click on Advanced options. The versions that have the fix are 1.0.32762.0, 1.0.32763.0, and later.
Executing malicious code in Visual Studio
The second major vulnerability, named CVE-2020-17023, is in Visual Studio. Microsoft reports that attackers can insert malicious code into package.json files which, when loaded into Visual Studio, can execute this code to infect the computer with any type of malware.