Microsoft late last week issued an emergency patch for Windows 10, prompting the U.S. Department of Homeland Security to issue its own alert urging owners of affected systems to run the update.
“Microsoft has released security updates to address remote code execution vulnerabilities affecting Windows Codecs Library and Visual Studio Code,” wrote the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) on Friday (Oct. 16). “An attacker could exploit these vulnerabilities to take control of an affected system.”
The flaws affect computers on which users have installed either a High Efficiency Video Coding (HEVC) plug-in to play specially compressed videos (including 4K Blu-ray discs or videos shot on recent iPhones) or the Microsoft Visual Studio software-development program.
The default builds of Windows 10 are not affected; the user must have installed at least one of the affected Microsoft options.
If the HEVC plug-in was installed from the Windows Store, it should update itself. Otherwise, users should update the software manually. Likewise, Microsoft Visual Studio should also be updated manually.
How this hack works
Remote code execution (RCE) is when a hacker can reach out across the internet and attack your machine. It’s more serious than local code execution, where the attacker needs to have physical access to your computer.
In this case, there are two RCE vulnerabilities. According to Microsoft’s own security advisories, the first flaw affects the way Windows 10 handles video compression in HEVC and can be exploited by “a specially crafted image file” — i.e., a malicious image.
The other flaw exists in Visual Studio and can be exploited “when a user is tricked into opening a malicious ‘package.json’ file.”
Because exploiting either vulnerability requires some interaction from the user, even if it’s just to download a malicious file, the patches are rated as “Important” rather than “Critical.”
Neither flaw had yet been exploited in the wild as of late last week, Microsoft said, and not enough details were disclosed to make exploitation easy to achieve. But crooks and hackers are likely taking apart the released patches to find out how to attack the vulnerabilities.