Security News > 2023 > October > Calls for Visual Studio security tweak fall on deaf ears despite one-click RCE exploit

Perceived weaknesses in the security of Microsoft's Visual Studio IDE are being raised once again this week with a fresh single-click exploit.

Following the 2021 targeting of security researchers by North Korea's state-sponsored offensive cyber group Lazarus, Microsoft rolled out trusted locations to prevent malicious Visual Studio projects being used to achieve remote code execution.

Microsoft told the researcher that it doesn't consider the issue to be tantamount to a security vulnerability, saying that opening a Visual Studio project downloaded from a platform like GitHub is inherently "An insecure operation."

After Lazarus started targeting security researchers with Visual Studio exploits in 2021, Microsoft's trusted locations feature was designed to automatically present a user who opened an untrusted Visual Studio project with a dialog window, warning of the security risks associated with opening projects downloaded from the web.

"After enabling , all content opened inside Visual Studio 2022 is considered untrusted until you or your organization adds it to the list of 'trusted locations'," Microsoft said in a blog post at the time.

Earlier this year, red team service provider Outflank published its own pre-build Visual Studio exploit and was met with a similar response from Microsoft, alluding to the fact that its own PoC simply used Visual Studio's intended behavior, which doesn't warrant a fix.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/10/13/fresh_visual_studio_rce_exploit/