Easily Exploitable Microsoft Visual Studio Bug Opens Developers to Takeover

The bug is very dangerous and impacts a big swath of the developer community, researchers warn.

Security researchers are warning about a bug in Microsoft Visual Studio installer that gives cyberattackers a way to create and distribute malicious extensions to application developers, under the guise of being a legitimate software publisher. From there, they could infiltrate development environments, taking control, poisoning code, stealing high-value intellectual property, and more.
Microsoft issued a patch for the spoofing vulnerability—tracked as CVE-2023-28299—with its monthly security update for April. At the time the company described the vulnerability as being of moderate severity and assessed it as a bug that attackers are less likely to exploit. But in a blog this week,
researchers from Varonis
who discovered the vulnerability originally offered a slightly different take on the bug and its potential impact.
According to the posting, the bug merits attention because its easily exploitable and exists in a product with a 26% market share and more than 30,000 customers.
With the UI bug found by Varonis Threat Labs, a threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system, Varonis security researcher Dolor Taler wrote. Malicious extensions have been used to steal sensitive information, silently access and change code, or take full control of a system.
The vulnerability that Varonis discovered affects multiple versions of the Visual Studio integrated development environment (IDE)—from Visual Studio 2017 to Visual Studio 2022. The flaw involves the ability for anyone to easily bypass a security restriction in Visual Studio that prevents users from entering information in the product name extension property.
Taler found an attacker could bypass that control by simply opening a Visual Studio Extension (VSIX) package as a .ZIP file and then manually adding newline characters to a tag in the extension.vsixmanifest file. A newline character is something that developers use to denote the end of a line of text, so the cursor moves to the
beginning of the next line on screen
.
Taler discovered that by adding enough newline characters to the extension name, an attacker could force all other text in the Visual Studio installer to be pushed down, thereby hiding from sight any warnings about the extension not being digitally signed.
And because a threat actor controls the area under the extension name, they can easily add fake Digital Signature text, visible to the user and appearing to be genuine, Taler said.
Attackers have multiple options—most involving phishing or other social engineering—for delivering a malicious extension to software developers and using it to compromise their systems, Varonis said. They could then use it as a launching pad into the organizations development ecosystem and other target-rich environments.
Password management vendor LastPass is one recent example of a company that experienced a breach of its development systems
via a targeted attack on a software developers system
. In that instance, the attackers exploited a vulnerability in a media player installed on the persons machine to install malware, which eventually gave them a way to access LastPass production backups.
Or Emanuel, director of research and security at Varonis, tells Dark Reading that attackers could use several approaches to trick users into executing a spoofed Visual Studio extension. For example, they could trick the users into clicking on a post in a developer community site that takes them to a web page to download, he says.
Other infection paths could begin with a phishing email containing a spoofed VSIX extension that mimics a real one, adds Dvir Sason, security research manager at Varonis. Or, it could be a site containing cracked software, or even by
typosquatting a known and valid extension
in the Microsoft marketplace, Sason says.
Since devs are targeted, were looking at potential victims that may not be security oriented and might be much more lucrative due to the potential intellectual property theyre working on, he notes, adding that by hiding a payload to trigger upon a successful installation of an extension, threat actors are able to take their time and wait for infections and communications back from infected systems: In addition, malicious code could potentially be added for automated compilation and might defeat some endpoint defenses.
All of these scenarios involve user interaction. While an attacker can relatively easily develop a convincing spoof of a legitimate Visual Studio extension, they would need to convince their target to install it. Since the infection point has to involve user interaction, the flaw is not considered as critical as a remote code execution (RCE) flaw, Sason says. That being said, any Visual Studio users who aren’t up to date are at risk, adds Emanuel.
He says Varonis decided to publish its advisory only now because the company wanted to ensure organizations had plenty of time to update Visual Studio. it’s one of the leading IDEs, so we did not want to clue in attackers.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Easily Exploitable Microsoft Visual Studio Bug Opens Developers to Takeover