Security researchers have recently discovered an “easily exploitable” flaw in the Microsoft Visual Studio installer, which could be used by malicious actors to impersonate legitimate publishers and distribute malicious extensions. This vulnerability, known as CVE-2023-28299, was addressed by Microsoft as part of its Patch Tuesday updates for April 2023, but experts warn that the problem could still exist in some installations.
Description and severity of the vulnerability
The vulnerability, which has been given a CVSS score of 5.5, is described as a spoofing flaw that allows for authentication bypass via the Visual Studio user interface. Essentially, this means attackers could pose as legitimate publishers of Visual Studio extensions and distribute malicious software that appears to be genuine.
Bug discovery and implementation
The flaw was first discovered by researchers at the cybersecurity firm Varonis, who found that it was relatively easy to exploit. It has to do with the way the Visual Studio user interface handles digital signatures from publishers. Attackers can use this flaw to bypass a restriction that prevents users from entering information in the “product name” extension property. This can be done by opening the Visual Studio Extension (VSIX) package as a ZIP file and manually adding newline characters to the “DisplayName” tag in the “extension.vsixmanifest” file.
Suppression of digital signature warnings
By adding enough newline characters and fake digital signature text to the VSIX file, attackers can easily suppress warnings about the extension not being digitally signed. This means that unsuspecting developers would be tricked into installing the malicious extension, thinking it is legitimate software.
Hypothetical attack scenario
In a hypothetical attack scenario, a hacker could send a phishing email to a developer or IT professional, camouflaging the malicious VSIX extension as a legitimate software update. The developer would unwittingly install the extension, and the malware would be activated. From there, the attacker would gain a foothold on the targeted machine, which could then be used to facilitate the theft of sensitive information.
Potential for easy weaponization
According to Vi Taler, a researcher at Varonis, “The low complexity and privileges required make this exploit easy to weaponize.” In other words, even a relatively inexperienced hacker could use this vulnerability to distribute malware and compromise systems. This makes it a serious threat that could cause significant damage if left unchecked.
While Microsoft has released a patch for this vulnerability, it is important for IT professionals and developers to be aware of the potential risks. It is also important to keep security software up to date and to be cautious when installing software or extensions from untrusted sources. By remaining vigilant and taking appropriate precautions, we can help keep ourselves and our data safe from cyber threats.