Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer
Security
researchers
have
warned
about
an
“easily
exploitable”
flaw
in
the
Microsoft
Visual
Studio
installer
that
could
be
abused
by
a
malicious
actor
to
impersonate
a
legitimate
publisher
and
distribute
malicious
extensions.
“A
threat
actor
could
impersonate
a
popular
publisher
and
issue
a
malicious
extension
to
compromise
a
targeted
system,”
Varonis
researcher
Dolev
Taler
said.
“Malicious
extensions
have
been
used
to
steal
sensitive
information,
silently
access
and
change
code,
or
take
full
control
of
a
system.”
The
vulnerability,
which
is
tracked
as
CVE-2023-28299
(CVSS
score:
5.5),
was
addressed
by
Microsoft
as
part
of
its
Patch
Tuesday
updates
for
April
2023,
describing
it
as
a
spoofing
flaw.
The
bug
discovered
by
Varonis
has
to
do
with
the
Visual
Studio
user
interface,
which
allows
for
spoofed
publisher
digital
signatures.
Specifically,
it
trivially
bypasses
a
restriction
that
prevents
users
from
entering
information
in
the
“product
name”
extension
property
by
opening
a
Visual
Studio
Extension
(VSIX)
package
as
a
.ZIP
file
and
then
manually
adding
newline
characters
to
the
“DisplayName”
tag
in
the
“extension.vsixmanifest”
file.
By
introducing
enough
newline
characters
in
the
vsixmanifest
file
and
adding
fake
“Digital
Signature”
text,
it
was
found
that
warnings
about
the
extension
not
being
digitally
signed
could
be
easily
suppressed,
thereby
tricking
a
developer
into
installing
it.
UPCOMING
WEBINAR
🔐
Mastering
API
Security:
Understanding
Your
True
Attack
Surface
Discover
the
untapped
vulnerabilities
in
your
API
ecosystem
and
take
proactive
steps
towards
ironclad
security.
Join
our
insightful
webinar!
In
a
hypothetical
attack
scenario,
a
bad
actor
could
send
a
phishing
email
bearing
the
spoofed
VSIX
extension
by
camouflaging
it
as
a
legitimate
software
update
and,
post-installation,
gain
a
foothold
into
the
targeted
machine.
The
unauthorized
access
could
then
be
used
as
a
launchpad
to
gain
deeper
control
of
the
network
and
facilitate
the
theft
of
sensitive
information.
“The
low
complexity
and
privileges
required
make
this
exploit
easy
to
weaponize,”
Taler
said.
“Threat
actors
could
use
this
vulnerability
to
issue
spoofed
malicious
extensions
with
the
intention
of
compromising
systems.”