Easily Exploitable Spoofing Bug in Visual Studio Raises Alarm among Researchers

Security Researchers Warn About Spoofing Bug in Microsoft Visual Studio Installer

Security researchers from Varonis have discovered a spoofing vulnerability in Microsoft Visual Studio installer that enables cyberattackers to create and distribute malicious extensions to application developers, posing as legitimate software publishers. The bug provides attackers with the ability to infiltrate development environments, take control, poison code, steal high-value intellectual property, or have a system compromised. The spoofing vulnerability -CVE-2023-28299- was documented and issued a patch in Microsoft’s April monthly security update, being categorized as moderate severity. However, Varonis researchers found that the bug is easily exploitable, and seeing as the product has a 26% market share with over 30,000 customers, it merits attention.

The CVE-2023-28299 Vulnerability

The vulnerability involves the ability to quickly bypass a security restriction in Visual Studio IDE that prevents users from entering information in the “product name” extension property, affecting multiple versions ranging from Visual Studio 2017 to 2022. According to Varonis’ security researcher Dolor Taler, adding newline characters to a tag in the “extension.vsixmanifest” file allows an attacker to bypass the control and add enough newline characters to the extension name to conceal all other text in the Visual Studio installer, thus hiding warning messages that the extension is not digitally signed. Taler added that a threat actor could easily add ‘fake’ “Digital Signature” text, visible to the user and appearing genuine, since they control the area under the extension name.

Delivery Options for Malicious Extensions

Attackers have different options, primarily phishing or social engineering approaches, to infect software developers and compromise their systems. They could use it as a launchpad to infiltrate the organization’s development ecosystem or other target-rich environments. For instance, in LastPass, attackers exploited a vulnerability in a media player installed on the developer’s machine to install malware, which enabled access to LastPass production backups. According to Emanuel, director of research and security at Varonis, attackers could trick users by convincing them to click on a post in a developer community site that leads to a web page to download, while Dvir Sason, security research manager at Varonis, suggests a phishing email containing a spoofed VSIX extension could fool users, or the malware could be on a site containing cracked software.

Editorial and Advice

User interaction is involved in all the mentioned scenarios. Still, attackers can easily develop a convincing spoof of a legitimate Visual Studio extension and convince their target to install it by typosquatting a known valid extension or mimicking a real one. The flaw is not as critical as a remote code execution (RCE) flaw, as the infection point has to involve user interaction. However, user risks remain with developers working with intellectual property, and Varonis researchers warn that attackers can add malicious code for automated compilation, which may defeat some endpoint defenses. One should ensure their Visual Studio is up to date and updated regularly to prevent exploitation. Organizations should encourage security awareness and training and implement strict access controls, two-factor authentication, and privilege escalation monitoring to better protect their environments from these types of attacks.