September 22, 2023

Researchers come up with a warning about a bug in Microsoft Visual Studio installer that gives attackers a way to create and distribute malicious extensions to application developers under the guise of being a legitimate software publisher. With this, it could infiltrate development environments, take control, and poison code.

Microsoft issued a patch for the spoofing vulnerability tracked as CVE-2023-28299, with its April monthly security update that described the vulnerability as being of moderate severity bug and that attackers are less likely to exploit.

Now, the researchers discovered that the vulnerability originally offered a slightly different take on the bug and its potential impact and it’s easily exploitable and exists in a product with a 26% market share and more than 30,000 customers


The vulnerability that discovered affects multiple versions of the Visual Studio integrated development environment (IDE) from Visual Studio 2017 to Visual Studio 2022 and anyone to easily bypass a security restriction in Visual Studio that prevents users from entering information in the “product name” extension property.

An attacker could bypass that control by simply opening a Visual Studio Extension package as a .ZIP file and then manually add newline characters to a tag it in the extension.vsixmanifest file.

A newline character is something that developers use to denote the end of a line of text, so the cursor moves to the beginning of the next line on screen. An attacker could force all other text in the Visual Studio installer to be pushed down, thereby hiding from sight any warnings about the extension not being digitally signed.


Varonis researchers decided to publish its advisory only now because the company wanted to ensure organizations had plenty of time to update Visual Studio. “it’s one of the leading IDEs, so we did not want to clue in attackers.”

Leave a Reply

%d bloggers like this: