Software development relies on powerful tools like Microsoft Visual Studio, an Integrated Development Environment (IDE) that facilitates coding and collaboration. However, it’s crucial to be aware of security vulnerabilities that can put your organisation’s system at risk.
Understanding the Impersonation Vulnerability: Security researchers from Varonis Threat Labs have uncovered a significant security flaw, known as CVE-2023-28299, in the Microsoft Visual Studio extension installer. This vulnerability allows attackers to exploit a user interface bug, impersonating legitimate publishers and distributing malicious extensions that can compromise targeted systems. While Microsoft has responded promptly by releasing a patch for CVE-2023-28299, it’s essential to understand the potential consequences and take proactive measures to protect your organisation’s systems.
The Potential Impact: Microsoft Visual Studio is widely used by developers, with millions of users relying on its robust features. One of its key strengths is the availability of numerous extensions that enhance the development process, from integrating external tools like GitHub and SQL servers to improving productivity through features like spell checks and code snippets. However, the identified UI bug (CVE-2023-28299) exposes a vulnerability that threat actors can exploit, posing as trusted publishers and distributing malicious extensions. These extensions can facilitate activities such as data theft, unauthorised code access, and even total system compromise.
Understanding the Bug: Visual Studio has security measures in place to prevent newline characters in extension names, achieved by restricting user input in the “Product Name” extension property. However, this restriction can be overcome by manipulating the VSIX file, essentially a ZIP file, and adding newline characters to the <DisplayName> tag in the “extension.vsixmanifest” file. By doing so, threat actors can hide the “Digital Signature: None” warning, making their spoofed extensions appear legitimate.
The Impersonation Technique: A legitimate extension includes a valid digital signature, assuring its authenticity and safety. Spoofed extensions lack valid digital signatures, making them suspicious and potentially harmful. Threat actors exploit their control over the extension name area to add fake “Digital Signature” text, deceiving users into believing the extension is genuine.
The Attack Scenario: Impersonation attacks often involve phishing tactics. Here’s an example of how attackers could exploit this vulnerability:
The attacker sends an email to company developers, disguising it as a legitimate software update. The email contains a spoofed VSIX extension, meticulously crafted to mimic a genuine update. Unsuspecting victims unknowingly install the malicious extension, unable to distinguish it from a legitimate one. Once installed, the attacker gains access to the victim’s machine, establishing a foothold within the organisation. With this initial access, the threat actor can infiltrate the organisation, potentially extracting valuable data and causing significant harm.
Microsoft’s Response and Recommendations: Acknowledging the severity of this exploit, Microsoft has swiftly addressed the issue by releasing a patch for CVE-2023-28299 as part of their Patch Tuesday update on April 11, 2023. All users must apply this patch promptly and remain vigilant for suspicious system activities.
The security vulnerability (CVE-2023-28299) discovered in Microsoft Visual Studio highlights the risk of impersonation attacks targeting legitimate publishers. Although this vulnerability is easy to exploit, it can be mitigated by applying the provided patch. As users, it is important to stay proactive and vigilant against potential threats to ensure the integrity and security of our systems.
https://www.varonis.com/blog/visual-studio-bug – Published 8th June
https://www.redpacketsecurity.com/microsoft-visual-studio-spoofing-cve-2023-28299/ – Published 12th June
Finnish authorities have exposed a sophisticated Android malware campaign designed to steal banking credentials and drain victims’ accounts. While the attacks are currently concentrated in…
A criminal network known as BogusBazaar has emerged as a major threat to online shoppers. This operation has lured hundreds of thousands of victims across…
WordPress website owners and administrators should be aware of a recent surge in attacks exploiting a security vulnerability in older versions of the popular LiteSpeed…
