Research Discovers Publisher Spoofing Bug in Microsoft Visual Studio Installer
Security experts have issued a warning regarding a vulnerability that is “easily exploitable” and present in the Microsoft Visual Studio installer. If leveraged maliciously, this bug might allow an attacker to pose as a trustworthy publisher and disseminate harmful extensions.
A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system. Malicious extensions have been used to steal sensitive information, silently access and change code, or take full control of a system.
Dolev Taler, Security Researcher Varonis
The vulnerability, which is tracked as CVE-2023-28299 (CVSS score: 5.5), was addressed by Microsoft as part of its Patch Tuesday updates for April 2023, describing it as a spoofing flaw.
Varonis found an issue that affects the Visual Studio user interface and permits fake publisher digital signatures.
By opening a Visual Studio Extension (VSIX) package as a.ZIP file and manually adding newline characters to the “DisplayName” tag in the “extension.vsixmanifest” file, it easily gets around a restriction that prevents users from entering information in the “product name” extension property.
Our Readers ALSO READ
It was discovered that warnings about the extension not being digitally signed could be easily muted, misleading a developer into installing it, by adding enough newline characters to the vsixmanifest file and inserting false “Digital Signature” content.
In a fictitious attack scenario, a malicious party may disguise a phishing email with the faked VSIX extension as a legitimate software update and, after installation, infiltrate the target computer.
The unauthorized access might then be used as a springboard to take over more of the network and make it easier to steal private data.
The low complexity and privileges required make this exploit easy to weaponize. Threat actors could use this vulnerability to issue spoofed malicious extensions with the intention of compromising systems.
Dolev Taler, Security Researcher Varonis
Like this article? Follow our Linkedin and Facebook handles for more exclusive content like this.
