Hello, welcome to the Tuesday in October 20, 2020 edition of the Santernet Storm Center's Stormcast.

My name is Johannes Ulrich, and the time I'm recording from Jacksonville, Florida.

Interestingly, after Microsoft had its big patch Tuesday on, well, last Tuesday, we got two additional patches. Now, the

advisories are dated for October 15th, so that would be last Thursday. I just noticed them,

and both vulnerabilities don't really look like they're critical enough to sort of warrant an out-of-band

or emergency patch, but in particular, the first one, CVE 2020-17-023 sounds interesting. It's a remote

code execution vulnerability in Visual Studio Code. Now, Visual Studio Code is an editor that a lot of

developers like and if you open a malicious JSON file with this editor, remote code

execution may happen. Given that this tool is used by developers who are somewhat a target

and that for a developer it would be perfectly normal to open a JSON file in this editor,

I do think that this vulnerability certainly should be addressed and patched quickly.

The second one is a little bit more run-off the mill, I would say.

It's a remote code execution warby again, but it's in Microsoft Windows codec

libraries.

And given that we have a lot of these vulnerabilities typically, this is not yet exploited.

It has not been publicly disclosed.

I'm not really sure why Microsoft sort of published a special out-of-band patch for this vulnerability.

It does affect Windows 10 only according to the advisory.

Now if Microsoft release a special patch, then Adobe has to release one, two, and we do have

a patch for the Magento e-commerce software.

Given that this has been a big target in the past,

probably worthwhile paying attention here.

...