Security News > 2023 > June > Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer

Security researchers have warned about an "Easily exploitable" flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions.

"A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis researcher Dolev Taler said.

"Malicious extensions have been used to steal sensitive information, silently access and change code, or take full control of a system."

The bug discovered by Varonis has to do with the Visual Studio user interface, which allows for spoofed publisher digital signatures.

Specifically, it trivially bypasses a restriction that prevents users from entering information in the "Product name" extension property by opening a Visual Studio Extension package as a.ZIP file and then manually adding newline characters to the "DisplayName" tag in the "Extension.vsixmanifest" file.

In a hypothetical attack scenario, a bad actor could send a phishing email bearing the spoofed VSIX extension by camouflaging it as a legitimate software update and, post-installation, gain a foothold into the targeted machine.

News URL

https://thehackernews.com/2023/06/researchers-uncover-publisher-spoofing.html