Security Weekly Podcast Network (Audio)
VSCode Vulnerabilities - Thomas Chauchefoin, Paul Gerste - PSW #804
Episode guests
Podcast summary created with Snipd AI
Quick takeaways
- Developers should keep their IDEs and extensions up to date to mitigate vulnerabilities.
- Third-party extensions increase the attack surface of IDEs, requiring caution when installing them.
- Security measures should be prioritized in the development of next-generation IDEs.
- Workspace trust features can enhance security by minimizing risks associated with untrusted projects.
- Ongoing research focuses on addressing security issues in popular IDEs and developer software.
Deep dives
The Israeli military is reportedly using widespread GPS tampering to deter missile attacks from Hezbollah.
Researchers have detected this tampering with GPS by analyzing flight tracker data.
It is interesting to note that this technology has been used before by nation-state actors, such as Russia, for military operations and to protect high-value targets.
Additionally, Google is implementing a new feature on Android devices that scans side-loaded apps for malware during installation.
This move is aimed at bolstering the security of Android devices and protecting users from potential threats.
Overview of the Podcast
The podcast episode discusses various topics including Android, folding phones, cybersecurity, and Raspberry Pi.
Android Ecosystem
The speaker finds the Android ecosystem interesting, particularly the new pixel fold and its usefulness for work purposes.
Issues with Folding Phones
The speaker expresses concerns about potential damage to folding phone screens and discusses the relevance of insurance for these devices.
Discussion on Raspberry Pi
The podcast episode mentions the Raspberry Pi 5, highlighting its improved performance, features, and potential impact on production and cost.
Vulnerabilities discovered in Microsoft's Visual Code Studio IDE
Researchers working for a company called Sonar discovered vulnerabilities in Microsoft's Visual Code Studio IDE. The vulnerabilities were found in the Git integration, which is commonly used by developers. Attackers could exploit these vulnerabilities to execute arbitrary commands on a victim's machine. The researchers reported the vulnerabilities to Microsoft, who promptly fixed them. The vulnerabilities have the potential for remote code execution, highlighting the importance of keeping IDEs up to date and minimizing the use of third-party extensions.
Challenges in securing IDEs and supply chain concerns
Securing IDEs, such as Visual Code Studio, can be challenging due to the integration of various functionalities and extensions. Third-party extensions, although useful for enhancing productivity, can increase the attack surface of the IDE. Additionally, the supply chain of IDEs and extensions raises concerns about potential backdoors or vulnerabilities introduced by malicious actors. While advancements, such as signing dependencies, have been made, the dynamics of the supply chain make it difficult to completely mitigate these risks. Users are advised to keep their IDEs and extensions up to date and exercise caution when installing third-party plugins.
Recommendations for future IDE development
To ensure the security of the next generation of IDEs, developers should prioritize security measures from the inception stage. Implementing workspace trust features, like asking users to trust projects, can enhance security by minimizing potential risks associated with untrusted projects. IDE vendors should also focus on securely integrating with third-party tools, ensuring that these connections are not vulnerable to attacks. Additionally, sandboxing different parts of the IDE, especially those interacting with external binaries, can add an extra layer of security. Ongoing research in the developer tooling field aims to identify and address security issues in popular IDEs and other software used by developers.
For the Security News, we officially welcome Bill Swearingen to our expert panel of PSW hosts, and discuss the news including hacking shenanigans, QNAP, recovering crypto currency, Android malware, and more!
Then in a pre-recorded segment: Sonar Vulnerability Researchers Thomas Chauchefoin and Paul Gerste conducted research on the security of Visual Studio Code — the most popular code editor out there — which was presented at DEF CON 31 in August. The pair uncovered a few ways for attackers to gain code execution on a victim's computer if they clicked on a specially crafted link or opened a malicious folder in Visual Studio Code, bypassing existing mitigations like Workspace Trust. Developers tend to trust their IDEs and do not expect such security issues to exist. As developers have access to source code and production systems, they make for very interesting targets for threat actors. Important to note is that the security concepts that the two are able to demonstrate apply not just to Visual Studio Code, but to most other code editors. This is also the story of how the researchers got an unexpected $30,000 bounty from Microsoft for these bugs, by mistake!
Segment Resources:
BLOG POSTS Securing Developer Tools: Argument Injection in Visual Studio Code (https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/) Securing Developer Tools: Git Integrations (https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/)
CVEs CVE-2023-36742 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742) CVE-2022-30129 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30129) CVE-2021-43891 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43891)
Visit https://www.securityweekly.com/psw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Show Notes: https://securityweekly.com/psw-804
Remember Everything You Learn from Podcasts
