Microsoft released an emergency patch for Windows 10 late last week, and the U.S. Department of Homeland Security issued its own warning urging owners of affected systems to run the update. [Microsoft has released a security update to address remote code execution vulnerabilities affecting Windows Codecs Library and Visual Studio Code," the DHS Cybersecurity and Infrastructure Security Agency (CISA) wrote on Friday (Oct. 16). "Attackers can exploit these vulnerabilities to gain control of the affected systems.

The flaws are in the High Efficiency Video Coding (HEVC) plug-in for playing back specially compressed video (including 4K Blu-ray discs and video shot on recent iPhones), or in Microsoft Visual Studio software development program, whichever the user has installed on the computer.

The default build of Windows 10 is not affected. Users must have at least one of the affected Microsoft options installed.

If the HEVC plug-in was installed from the Windows Store, it will itself be updated. Otherwise, the user must manually update the software. Likewise, Microsoft Visual Studio must be updated manually.

Remote Code Execution (RCE) is when a hacker attacks your machine via the Internet. This is more serious than local code execution, which requires the attacker to have physical access to your computer. [In this case, there are two RCE vulnerabilities: according to Microsoft's own security advisory, the first flaw affects the way Windows 10 handles HEVC video compression and can be exploited by "specially crafted image files," or malicious images. [Another flaw exists in Visual Studio, which can be exploited "if a user is tricked into opening a malicious 'package.json' file. [Both vulnerabilities are rated "critical" rather than "critical" patches because they require the user to perform some operation, even if it is only to download a malicious file.

According to Microsoft, as of late last week, neither flaw has yet been exploited, and neither has been disclosed in enough detail to be easily exploited. However, scammers and hackers are likely disassembling the released patches in order to find ways to attack the vulnerabilities.