Recent security alerts have surfaced regarding a significant vulnerability in the Microsoft Visual Studio installer, which poses risks for users by potentially enabling attackers to impersonate legitimate publishers and distribute harmful extensions. This flaw has been labeled “easily exploitable” by cybersecurity experts at Varonis.
Dolev Taler, a researcher from Varonis, highlighted the severity of the situation, stating, “A threat actor could easily masquerade as a well-known publisher and introduce a malicious extension aimed at compromising targeted systems.” The implications of such malicious extensions are profound, ranging from unauthorized access to sensitive information to the complete takeover of affected systems.
Tracked as CVE-2023-28299 and with a CVSS score of 5.5, this vulnerability was included in Microsoft’s April 2023 Patch Tuesday updates, categorized as a spoofing vulnerability. The issue lies within the Visual Studio user interface, exposing a method for attackers to create digital signatures that can mislead users.
The vulnerability allows would-be attackers to circumvent restrictions that typically prevent the inclusion of information in the “product name” extension property. By manipulating a Visual Studio Extension (VSIX) package—simply by renaming it as a .ZIP file—attackers can introduce newline characters into the “DisplayName” tag of the “extension.vsixmanifest” file, misleading developers into believing the extension is legitimate.
By cleverly saturating the vsixmanifest file with newline characters and introducing deceptive “Digital Signature” text, attackers can suppress warnings regarding the absence of valid digital signatures, thus persuading developers to install their malicious extensions. Such scenarios could involve phishing tactics where an attacker disguises a fraudulent VSIX extension as a legitimate software update, leading to unauthorized access to the targeted machine.
This unauthorized access could then facilitate broader attacks within the network, potentially enabling the attacker to steal sensitive information or disrupt operations. “The low complexity and minimal privileges required to execute this exploit make it accessible for many threat actors,” Taler noted, emphasizing the ease with which malicious extensions could be propagated.
The tactics potentially employed in these attacks align with multiple MITRE ATT&CK framework strategies, particularly around initial access and persistence techniques. By exploiting user naivety and technical loopholes within trusted software ecosystems, such malicious actors can systematically undermine the cybersecurity defenses of businesses, raising the stakes for IT managers and business proprietors alike.