Security researchers have identified a critical flaw in the Microsoft Visual Studio installer that allows malicious actors to exploit the software and distribute harmful extensions under the guise of legitimate publishers.
These malicious extensions can be used to steal sensitive data, manipulate code, and gain full control over targeted systems. Tracked as CVE-2023-28299, Microsoft addressed this vulnerability as part of its April 2023 Patch Tuesday updates, classifying it as a spoofing flaw.
The discovered bug is related to the Visual Studio user interface, which permits the manipulation of publisher digital signatures. By circumventing the restriction on entering information in the “product name” extension property, attackers can add newline characters to the “DisplayName” tag in the “extension.vsixmanifest” file within a Visual Studio Extension (VSIX) package.
Through this method, warnings about the lack of a digital signature can be easily suppressed, deceiving developers into installing the malicious extension.
In a hypothetical attack scenario, threat actors could send phishing emails disguising the spoofed VSIX extension as a legitimate software update. Once installed, the malicious extension would provide unauthorized access to the targeted machine, acting as a launchpad for further network infiltration and the theft of sensitive information.
This exploit is particularly concerning due to its low complexity and the minimal privileges required to execute it, making it highly susceptible to weaponization by malicious actors aiming to compromise systems.
Given the severity of the vulnerability, it is crucial for users and developers to promptly address and apply the necessary security updates provided by Microsoft to mitigate the risk of falling victim to this exploit.
Vigilance in verifying the authenticity of extension sources and implementing robust security measures will be paramount in protecting systems against this type of threat.
