Security researchers have warned about an “easy to exploit” weakness in the Microsoft Visual Studio installer that could be abused by bad actors to impersonate legitimate publishers and distribute malicious extensions.
“Threat actors can impersonate popular publishers and issue malicious extensions to compromise targeted systems,” Varonis researcher Dolev Taler said. “Malicious extensions have been used to steal sensitive information, access and change code silently, or take full control of a system.”
The vulnerability, which is tracked as CVE-2023-28299 (CVSS Score: 5.5), which was addressed by Microsoft as part of its Patch Tuesday updates for April 2023, described it as a spoofing flaw.
The bug Varonis discovered had to do with the Visual Studio user interface, which allows forged publisher digital signatures.
In particular, it easily bypasses a limitation that prevents users from entering information in the “product name” extension property by opening a Visual Studio Extension (VSIX) as a .ZIP file and then added manually newline character to the “DisplayName” tag in the “extension.vsixmanifest” file.
By introducing a fair number of newline characters in the vsixmanifest file and adding fake “Digital Signature” text, it was discovered that warnings about extensions not being digitally signed could easily be suppressed, thus tricking developers into installing them.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
In a hypothetical attack scenario, a bad actor could send a phishing email with a bogus VSIX extension by disguising it as a legitimate software update and, after installation, gain a foothold into the targeted machine.
Unauthorized access can then be used as a launching pad to gain more control over the network and facilitate the theft of sensitive information.
“The low complexity and idiosyncrasies required make this exploit easy to weaponise,” says Taler. “Threat actors could use this vulnerability to issue fake malicious extensions with the intention of harming the system.”