Security researchers have warned about an āeasily exploitableā flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions.
āA threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system,ā Varonis researcher Dolev Taler said. āMalicious extensions have been used to steal sensitive information, silently access and change code, or take full control of a system.ā
The vulnerability, which is tracked as CVE-2023-28299 (CVSS score: 5.5), was addressed by Microsoft as part of its Patch Tuesday updates for April 2023, describing it as a spoofing flaw.
The bug discovered by Varonis has to do with the Visual Studio user interface, which allows for spoofed publisher digital signatures.
Specifically, it trivially bypasses a restriction that prevents users from entering information in the āproduct nameā extension property by opening a Visual Studio Extension (VSIX) package as a .ZIP file and then manually adding newline characters to the āDisplayNameā tag in the āextension.vsixmanifestā file.
By introducing enough newline characters in the vsixmanifest file and adding fake āDigital Signatureā text, it was found that warnings about the extension not being digitally signed could be easily suppressed, thereby tricking a developer into installing it.
UPCOMING WEBINAR
š Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!
In a hypothetical attack scenario, a bad actor could send a phishing email bearing the spoofed VSIX extension by camouflaging it as a legitimate software update and, post-installation, gain a foothold into the targeted machine.
The unauthorized access could then be used as a launchpad to gain deeper control of the network and facilitate the theft of sensitive information.
āThe low complexity and privileges required make this exploit easy to weaponize,ā Taler said. āThreat actors could use this vulnerability to issue spoofed malicious extensions with the intention of compromising systems.ā
Found this article interesting? Follow us on Twitter ļ and LinkedIn to read more exclusive content we post.