Security researchers have warned about an “easily exploitable” flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions.
“A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system,” Varonis researcher Dolev Taler said. “Malicious extensions have been used to steal sensitive information, silently access and change code, or take full control of a system.”
The vulnerability, which is tracked as CVE-2023-28299 (CVSS score: 5.5), was addressed by Microsoft as part of its Patch Tuesday updates for April 2023, describing it as a spoofing flaw.
Specifically, it trivially bypasses a restriction that prevents users from entering information in the “product name” extension property by opening a Visual Studio Extension (VSIX) package as a .ZIP file and then manually adding newline characters to the “DisplayName” tag in the “extension.vsixmanifest” file.
In a hypothetical attack scenario, a bad actor could send a phishing email bearing the spoofed VSIX extension by camouflaging it as a legitimate software update and, post-installation, gain a foothold into the targeted machine.
The unauthorized access could then be used as a launchpad to gain deeper control of the network and facilitate the theft of sensitive information.
“The low complexity and privileges required make this exploit easy to weaponize,” Taler said. “Threat actors could use this vulnerability to issue spoofed malicious extensions with the intention of compromising systems.”
Source: https://thehackernews.com/
