Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer

11 months ago AndyC

Jun
12,
2023Ravie
LakshmananVulnerability
/
Software

Security
researchers
have
warned
about
an
“easily
exploitable”
flaw
in
the
Microsoft
Visual
Studio
installer
that
could
be
abused
by
a
malicious
actor
to
impersonate
a
legitima

Jun
12,
2023Ravie
LakshmananVulnerability
/
Software

Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer

Security
researchers
have
warned
about
an
“easily
exploitable”
flaw
in
the
Microsoft
Visual
Studio
installer
that
could
be
abused
by
a
malicious
actor
to
impersonate
a
legitimate
publisher
and
distribute
malicious
extensions.

“A
threat
actor
could
impersonate
a
popular
publisher
and
issue
a
malicious
extension
to
compromise
a
targeted
system,”
Varonis
researcher
Dolev
Taler

said.
“Malicious
extensions
have
been
used
to
steal
sensitive
information,
silently
access
and
change
code,
or
take
full
control
of
a
system.”

The
vulnerability,
which
is
tracked
as

CVE-2023-28299
(CVSS
score:
5.5),
was
addressed
by
Microsoft
as
part
of
its

Patch
Tuesday
updates
for
April
2023,
describing
it
as
a
spoofing
flaw.

The
bug
discovered
by
Varonis
has
to
do
with
the
Visual
Studio
user
interface,
which
allows
for
spoofed
publisher
digital
signatures.

Specifically,
it
trivially
bypasses
a
restriction
that
prevents
users
from
entering
information
in
the
“product
name”
extension
property
by
opening
a
Visual
Studio
Extension
(VSIX)
package
as
a
.ZIP
file
and
then
manually
adding

newline
characters
to
the
“DisplayName”
tag
in
the
“extension.vsixmanifest”
file.

By
introducing
enough
newline
characters
in
the
vsixmanifest
file
and
adding
fake
“Digital
Signature”
text,
it
was
found
that
warnings
about
the
extension
not
being
digitally
signed
could
be
easily
suppressed,
thereby
tricking
a
developer
into
installing
it.

UPCOMING
WEBINAR

🔐
Mastering
API
Security:
Understanding
Your
True
Attack
Surface

Discover
the
untapped
vulnerabilities
in
your
API
ecosystem
and
take
proactive
steps
towards
ironclad
security.
Join
our
insightful
webinar!

Join
the
Session

In
a
hypothetical
attack
scenario,
a
bad
actor
could
send
a
phishing
email
bearing
the
spoofed
VSIX
extension
by
camouflaging
it
as
a
legitimate
software
update
and,
post-installation,
gain
a
foothold
into
the
targeted
machine.

The
unauthorized
access
could
then
be
used
as
a
launchpad
to
gain
deeper
control
of
the
network
and
facilitate
the
theft
of
sensitive
information.

“The
low
complexity
and
privileges
required
make
this
exploit
easy
to
weaponize,”
Taler
said.
“Threat
actors
could
use
this
vulnerability
to
issue
spoofed
malicious
extensions
with
the
intention
of
compromising
systems.”

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts