Security researchers are warning about a bug in Microsoft Visual Studio installer that gives cyberattackers a way to create and distribute malicious extensions to application developers, under the guise of being a legitimate software publisher. From there, they could infiltrate development environments, taking control, poisoning code, stealing high-value intellectual property, and more.
Microsoft issued a patch for the spoofing vulnerability—tracked as CVE-2023-28299—with its monthly security update for April. At the time the company described the vulnerability as being of moderate severity and assessed it as a bug that attackers are less likely to exploit. But in a blog this week, researchers from Varonis who discovered the vulnerability originally offered a slightly different take on the bug and its potential impact.
According to the posting, the bug merits attention because it’s easily exploitable and exists in a product with a 26% market share and more than 30,000 customers.
“With the UI bug found by Varonis Threat Labs, a threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system,” Varonis security researcher Dolor Taler wrote. “Malicious extensions have been used to steal sensitive information, silently access and change code, or take full control of a system.”
CVE-2023-28299: Meriting Attention
The vulnerability that Varonis discovered affects multiple versions of the Visual Studio integrated development environment (IDE)—from Visual Studio 2017 to Visual Studio 2022. The flaw involves the ability for anyone to easily bypass a security restriction in Visual Studio that prevents users from entering information in the “product name” extension property.
Taler found an attacker could bypass that control by simply opening a Visual Studio Extension (VSIX) package as a .ZIP file and then manually adding newline characters to a tag in the “extension.vsixmanifest” file. A newline character is something that developers use to denote the end of a line of text, so the cursor moves to the beginning of the next line on screen.
Taler discovered that by adding enough newline characters to the extension name, an attacker could force all other text in the Visual Studio installer to be pushed down, thereby hiding from sight any warnings about the extension not being digitally signed.
“And because a threat actor controls the area under the extension name, they can easily add fake ‘Digital Signature’ text, visible to the user and appearing to be genuine,” Taler said.
Pushing Out Malicious Extensions: Multiple Delivery Options
Attackers have multiple options—most involving phishing or other social engineering—for delivering a malicious extension to software developers and using it to compromise their systems, Varonis said. They could then use it as a launching pad into the organization’s development ecosystem and other target-rich environments.
Password management vendor LastPass is one recent example of a company that experienced a breach of its development systems via a targeted attack on a software developer’s system. In that instance, the attackers exploited a vulnerability in a media player installed on the person’s machine to install malware, which eventually gave them a way to access LastPass production backups.
Or Emanuel, director of research and security at Varonis, tells Dark Reading that attackers could use several approaches to trick users into executing a spoofed Visual Studio extension. “For example, they could trick the users into clicking on a post in a developer community site that takes them to a web page to download,” he says.
Other infection paths could begin with a phishing email containing a spoofed VSIX extension that mimics a real one, adds Dvir Sason, security research manager at Varonis. Or, it could be a site containing cracked software, or even by typosquatting a known and valid extension in the Microsoft marketplace, Sason says.
“Since devs are targeted, we’re looking at potential victims that may not be security oriented and might be much more lucrative due to the potential intellectual property they’re working on,” he notes, adding that by hiding a payload to trigger upon a successful installation of an extension, threat actors are able to take their time and wait for infections and communications back from infected systems: “In addition, malicious code could potentially be added for automated compilation and might defeat some endpoint defenses.”
All of these scenarios involve user interaction. While an attacker can relatively easily develop a convincing spoof of a legitimate Visual Studio extension, they would need to convince their target to install it. Since the infection point has to involve user interaction, the flaw is not considered as critical as a remote code execution (RCE) flaw, Sason says. “That being said, any Visual Studio users who aren’t up to date are at risk,” adds Emanuel.
He says Varonis decided to publish its advisory only now because the company wanted to ensure organizations had plenty of time to update Visual Studio. “it’s one of the leading IDEs, so we did not want to clue in attackers.”