Security News > 2023 > June > Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer

Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer
2023-06-12 12:47

Security researchers have warned about an "Easily exploitable" flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions.

"A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis researcher Dolev Taler said.

"Malicious extensions have been used to steal sensitive information, silently access and change code, or take full control of a system."

The bug discovered by Varonis has to do with the Visual Studio user interface, which allows for spoofed publisher digital signatures.

Specifically, it trivially bypasses a restriction that prevents users from entering information in the "Product name" extension property by opening a Visual Studio Extension package as a.ZIP file and then manually adding newline characters to the "DisplayName" tag in the "Extension.vsixmanifest" file.

In a hypothetical attack scenario, a bad actor could send a phishing email bearing the spoofed VSIX extension by camouflaging it as a legitimate software update and, post-installation, gain a foothold into the targeted machine.


News URL

https://thehackernews.com/2023/06/researchers-uncover-publisher-spoofing.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 723 807 4714 4722 3647 13890