Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer
13.6.23 Vulnerebility The Hacker News
Security researchers have warned about an "easily exploitable" flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions.
"A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis researcher Dolev Taler said. "Malicious extensions have been used to steal sensitive information, silently access and change code, or take full control of a system."
The vulnerability, which is tracked as CVE-2023-28299 (CVSS score: 5.5), was addressed by Microsoft as part of its Patch Tuesday updates for April 2023, describing it as a spoofing flaw.
The bug discovered by Varonis has to do with the Visual Studio user interface, which allows for spoofed publisher digital signatures.
Specifically, it trivially bypasses a restriction that prevents users from entering information in the "product name" extension property by opening a Visual Studio Extension (VSIX) package as a .ZIP file and then manually adding newline characters to the "DisplayName" tag in the "extension.vsixmanifest" file.
By introducing enough newline characters in the vsixmanifest file and adding fake "Digital Signature" text, it was found that warnings about the extension not being digitally signed could be easily suppressed, thereby tricking a developer into installing it.
In a hypothetical attack scenario, a bad actor could send a phishing email bearing the spoofed VSIX extension by camouflaging it as a legitimate software update and, post-installation, gain a foothold into the targeted machine.
The unauthorized access could then be used as a launchpad to gain deeper control of the network and facilitate the theft of sensitive information.
"The low complexity and privileges required make this exploit easy to weaponize," Taler said. "Threat actors could use this vulnerability to issue spoofed malicious extensions with the intention of compromising systems."