Security News > 2020 > October > Microsoft issues out-of-band Windows security updates for RCE bugs
Microsoft has released two out-of-band security updates designed to address remote code execution bugs found to affect the Microsoft Windows Codecs Library and Visual Studio Code.
Microsoft patched two similar RCE bugs in June, leading to user confusion because of the ways the security updates were being delivered - via the Microsoft Store instead of the normal Windows Update channel.
CVE-2020-17023 is actually a security update bypass for CVE-2020-16881, another Visual Studio Code RCE bug Microsoft attempted to fix on September 8th as Steven told BleepingComputer.
Affected customers don't have to take any action to secure their computers against CVE-2020-17022 since the security update will be automatically delivered to all impacted devices via the Microsoft Store unless automatic updating for Microsoft Store apps is disabled.
"Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here," Microsoft explains.
News URL
Related news
- Microsoft: Some devices offered Windows 11 upgrades despite Intune blocks (source)
- Widespread Microsoft Entra lockouts tied to new security feature rollout (source)
- Microsoft fixes Windows Server 2025 blue screen, install issues (source)
- Microsoft fixes Remote Desktop freezes caused by Windows updates (source)
- Windows "inetpub" security fix can be abused to block future updates (source)
- Microsoft pitches pay-to-patch reboot reduction subscription for Windows Server 2025 (source)
- Microsoft: Windows Server hotpatching to require subscription (source)
- Microsoft: Windows 11 24H2 updates fail with 0x80240069 errors (source)
- Microsoft: Windows 11 24H2 now ready to rollout to everyone (source)
- Microsoft silently fixes Start menu bug affecting Windows 10 PCs (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-16 | CVE-2020-17022 | Unspecified vulnerability in Microsoft Windows 10 <p>A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. | 0.0 |
| 2020-10-16 | CVE-2020-17023 | Unspecified vulnerability in Microsoft Visual Studio Code <p>A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. | 0.0 |
| 2020-09-11 | CVE-2020-16881 | Unspecified vulnerability in Microsoft Visual Studio Code <p>A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. | 0.0 |