April 23, 2024

๎ ‚Jun 12, 2023๎ „Ravie LakshmananVulnerability / Software program

Microsoft Visual Studio

Safety researchers have warned about an “simply exploitable” flaw within the Microsoft Visible Studio installer that could possibly be abused by a malicious actor to impersonate a official writer and distribute malicious extensions.

“A menace actor may impersonate a preferred writer and situation a malicious extension to compromise a focused system,” Varonis researcher Dolev Taler said. “Malicious extensions have been used to steal delicate info, silently entry and alter code, or take full management of a system.”

The vulnerability, which is tracked as CVE-2023-28299 (CVSS rating: 5.5), was addressed by Microsoft as a part of its Patch Tuesday updates for April 2023, describing it as a spoofing flaw.


The bug found by Varonis has to do with the Visible Studio consumer interface, which permits for spoofed writer digital signatures.

Particularly, it trivially bypasses a restriction that forestalls customers from getting into info within the “product title” extension property by opening a Visible Studio Extension (VSIX) bundle as a .ZIP file after which manually including newline characters to the “DisplayName” tag within the “extension.vsixmanifest” file.

Microsoft Visual Studio

By introducing sufficient newline characters within the vsixmanifest file and including faux “Digital Signature” textual content, it was discovered that warnings in regards to the extension not being digitally signed could possibly be simply suppressed, thereby tricking a developer into putting in it.


๐Ÿ” Mastering API Safety: Understanding Your True Assault Floor

Uncover the untapped vulnerabilities in your API ecosystem and take proactive steps in the direction of ironclad safety. Be a part of our insightful webinar!

Join the Session

In a hypothetical assault situation, a nasty actor may ship a phishing electronic mail bearing the spoofed VSIX extension by camouflaging it as a official software program replace and, post-installation, acquire a foothold into the focused machine.

The unauthorized entry may then be used as a launchpad to realize deeper management of the community and facilitate the theft of delicate info.

“The low complexity and privileges required make this exploit straightforward to weaponize,” Taler stated. “Risk actors may use this vulnerability to situation spoofed malicious extensions with the intention of compromising programs.”

Discovered this text attention-grabbing? Observe us on Twitter ๏‚™ and LinkedIn to learn extra unique content material we publish.