Despite Microsoft publishing this month's Patch Tuesday fixes on October 13, the organization has published two more emergency updates on October 15, this time in an attempt to resolve remote code execution vulnerabilities hitting the Windows Codecs Library and Visual Studio Code.

Among the first to announce the supply of the new updates was the United States Department of Homeland Security's CISA, which published an advisory on its website to recommend administrators to patch their devices as quickly as possible.

"Microsoft has released security updates to deal with remote code execution vulnerabilities affecting Windows Codecs Library and Visual Studio Code. An assailant could exploit these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Microsoft security advisories for CVE-2020-17022 and CVE-2020-17023 and apply the necessary updates," CISA said.

The brand new out-of-band CVEs authored by Microsoft on October 15 are theTo begin with, the RCE flaw affecting the Windows Codecs Library.

Microsoft warns that the attacker would need to convince a potential victim using an unpatched system to spread out a specially crafted image file. When this happens, the attacker may ultimately have the ability to run arbitrary code, what exactly the patch does is resolve the way the library handles objects in memory.

The vulnerability affects all Windows 10 versions on the market, including version 2004, or May 2020 Update. It's received an essential severity rating.

"A remote code execution vulnerability exists in the manner that Microsoft Windows Codecs Library handles objects in memory. An assailant who successfully exploited the vulnerability could execute arbitrary code. Exploitation from the vulnerability mandates that a course process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory," Microsoft explains in its advisory.

And then, it's the Visual Studio vulnerability.

Microsoft explains that the successful attack needs a malicious actor to convince the target to clone a repository after which open it in Visual Studio Code. Although this is obviously a far more complex attack, if the pre-requires are met, the attacker would be able to manage an unpatched system once the malicious package.json file is launched.

The out-of-band patch resolves the vulnerability by simply modifying how Visual Studio Code handles JSON files, Microsoft explains.

"A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. An assailant who successfully exploited the vulnerability could run arbitrary code poor the present user. If the current user is logged on with administrative user rights, an attacker might take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the company notes.

Similar to the other vulnerability, the Visual Studio Code has been given an important severity rating.

The good news is that both security flaws happen to be privately disclosed, and Microsoft confirmed that it's not aware of any active exploits happening within the wild. So at the end of the day, it's a good thing that Microsoft released the brand new patches so fast, because this way users can be sure they are protected should any malicious actor attempt to exploit the 2 vulnerabilities.

Obviously, all users are suggested to install the most recent patches as soon as possible on all their devices.