Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer

June 12, 2023Ravi LakshmananVulnerability/Software

Security researchers find ‘easily exploitable’ flaw in Microsoft Visual Studio installer that could be exploited by malicious actors to impersonate legitimate publishers and distribute malicious extensions warned that there is

According to Varonis researcher Dolev Taler, “Threat actors can impersonate popular publishers and issue malicious extensions to compromise targeted systems.” “Malicious extensions are used to steal sensitive information, silently access and modify code, or gain complete control over systems.”

This vulnerability is tracked as CVE-2023-28299 (CVSS score: 5.5) and Microsoft has addressed it as part of the April 2023 Patch Tuesday update, describing it as a spoofing flaw.

A bug discovered by Varonis has to do with the Visual Studio user interface that allows for the spoofing of a publisher’s digital signature.

Specifically, I opened the Visual Studio Extension (VSIX) package as a .ZIP file and manually added newline characters to the “extension.vsixmanifest” file.

By introducing enough newline characters into the vsixmanifest file and adding bogus “digital signature” text, you can easily suppress the warning about the extension not being digitally signed, tricking the developer into installing the extension. It turned out that it can be done.

In a hypothetical attack scenario, a malicious attacker could send a phishing email containing a spoofed VSIX extension disguised as a legitimate software update and, after installation, gain a foothold in the target machine. There is a nature.

Unauthorized access could be used as a launch pad to gain deeper control over networks and facilitate theft of sensitive information.

“The low complexity and required permissions make this exploit easy to weaponize,” Taler said. “Threat actors may use this vulnerability to issue spoofed malicious extensions with the intent of compromising systems.”