A bug in the Microsoft Visual Studio installer is posing a significant threat to application developers, according to security researchers. Cyberattackers have found a vulnerability that lets them create and distribute malicious extensions to developers, potentially accessing development environments, poisoning code, and stealing intellectual property. Microsoft has issued a patch for the bug, detected as CVE-2023-28299, noting that it couldn’t be classed as a critical threat. However, researchers from Varonis, which discovered the issue, have warned that the bug is easily exploitable and affects a product with a 26% market share and over 30,000 customers.
The bug in question affects a range of Visual Studio integrated development environments from 2017 to 2022. It bypasses a restriction that prevents users from entering information in the “product name” extension property. An attacker simply has to unzip a Visual Studio Extension package as a .ZIP file, add newline characters to the “extension.vsixmanifest” file, and force other text in the installer to be shifted down, making warnings about the absence of digital signatures invisible. The attacker can convince the targeted system that they are a popular software publisher.
Several phishing techniques can be used to deliver a malicious extension to software developers and allow attackers to compromise their systems. Emnuel Ellencweig, Director of Research and Security at Varonis, says that attackers could trick users into clicking on a post in a developer community site, for example. Security Research Manager Dvir Sason adds that a phishing attack could use a spoofed VSIX extension that mimics a genuine one. An infected developer’s machine could be reached by exploiting vulnerabilities in software or media players installed on their computer because the developer is working on valuable intellectual property, which makes them particularly attractive to cyberattackers.
While Varonis points out that an attacker would need to convince their target to install a convincing spoof of a legitimate Visual Studio extension, history shows this is possible. Recently, password management vendor LastPass’s development systems were breached after a cybercriminal exploited a vulnerability in a media player installed on an individual developer’s system. An infected machine enabled attackers to gain access to LastPass production backups.
Varonis is concerned that not all Visual Studio users will have updated the programme, making them vulnerable, hence their decision to release their advisory now. The company doesn’t want to alert attackers to this issue but does understand the urgency of the situation, especially since attackers can add malicious code for automated compilation, which can evade some endpoint defences. Therefore, it’s crucial for those using Visual Studio to update the programme as soon as possible.