Club Benefits
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Daily (Mon-Sun)
Tom's Guide Daily
Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.
Weekly on Thursday
Tom's AI Guide
Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!
Weekly on Friday
Tom's iGuide
Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.
Weekly on Monday
Tom's Streaming Guide
Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
Microsoft late last week issued an emergency patch for Windows 10, prompting the U.S. Department of Homeland Security to issue its own alert urging owners of affected systems to run the update.
"Microsoft has released security updates to address remote code execution vulnerabilities affecting Windows Codecs Library and Visual Studio Code," wrote the DHS' Cybersecurity and Infrastructure Security Agency (CISA) on Friday (Oct. 16). "An attacker could exploit these vulnerabilities to take control of an affected system."
- iPhone 12 review: Our verdict is in
- PS5 may not support this beloved PS4 game — but there's a workaround
- Acer Swift 3X takes on MacBook Air with a whopping 17-hour battery life
The flaws affect computers on which users have installed either a High Efficiency Video Coding (HEVC) plug-in to play specially compressed videos (including 4K Blu-ray discs or videos shot on recent iPhones) or the Microsoft Visual Studio software-development program.
The default builds of Windows 10 are not affected; the user must have installed at least one of the affected Microsoft options.
If the HEVC plug-in was installed from the Windows Store, it should update itself. Otherwise, users should update the software manually. Likewise, Microsoft Visual Studio should also be updated manually.
How this hack works
Remote code execution (RCE) is when a hacker can reach out across the internet and attack your machine. It's more serious than local code execution, where the attacker needs to have physical access to your computer.
In this case, there are two RCE vulnerabilities. According to Microsoft's own security advisories, the first flaw affects the way Windows 10 handles video compression in HEVC and can be exploited by "a specially crafted image file" — i.e., a malicious image.
The other flaw exists in Visual Studio and can be exploited "when a user is tricked into opening a malicious 'package.json' file."
Because exploiting either vulnerability requires some interaction from the user, even if it's just to download a malicious file, the patches are rated as "Important" rather than "Critical."
Neither flaw had yet been exploited in the wild as of late last week, Microsoft said, and not enough details were disclosed to make exploitation easy to achieve. But crooks and hackers are likely taking apart the released patches to find out how to attack the vulnerabilities.
