Home Cyber Security Researchers Uncover Writer Spoofing Bug in Microsoft Visible Studio Installer

Researchers Uncover Writer Spoofing Bug in Microsoft Visible Studio Installer

0
Researchers Uncover Writer Spoofing Bug in Microsoft Visible Studio Installer

[ad_1]

Jun 12, 2023Ravie LakshmananVulnerability / Software program

Microsoft Visual Studio

Safety researchers have warned about an “simply exploitable” flaw within the Microsoft Visible Studio installer that may very well be abused by a malicious actor to impersonate a official writer and distribute malicious extensions.

“A menace actor may impersonate a well-liked writer and situation a malicious extension to compromise a focused system,” Varonis researcher Dolev Taler mentioned. “Malicious extensions have been used to steal delicate info, silently entry and alter code, or take full management of a system.”

The vulnerability, which is tracked as CVE-2023-28299 (CVSS rating: 5.5), was addressed by Microsoft as a part of its Patch Tuesday updates for April 2023, describing it as a spoofing flaw.

Cybersecurity

The bug found by Varonis has to do with the Visible Studio person interface, which permits for spoofed writer digital signatures.

Particularly, it trivially bypasses a restriction that stops customers from getting into info within the “product title” extension property by opening a Visible Studio Extension (VSIX) bundle as a .ZIP file after which manually including newline characters to the “DisplayName” tag within the “extension.vsixmanifest” file.

Microsoft Visual Studio

By introducing sufficient newline characters within the vsixmanifest file and including pretend “Digital Signature” textual content, it was discovered that warnings concerning the extension not being digitally signed may very well be simply suppressed, thereby tricking a developer into putting in it.

UPCOMING WEBINAR

🔐 Mastering API Safety: Understanding Your True Assault Floor

Uncover the untapped vulnerabilities in your API ecosystem and take proactive steps in direction of ironclad safety. Be a part of our insightful webinar!

Be a part of the Session

In a hypothetical assault situation, a foul actor may ship a phishing e mail bearing the spoofed VSIX extension by camouflaging it as a official software program replace and, post-installation, achieve a foothold into the focused machine.

The unauthorized entry may then be used as a launchpad to achieve deeper management of the community and facilitate the theft of delicate info.

“The low complexity and privileges required make this exploit straightforward to weaponize,” Taler mentioned. “Risk actors may use this vulnerability to situation spoofed malicious extensions with the intention of compromising methods.”

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.



[ad_2]