Software security company Snyk said in a new analysis that vulnerabilities found in two popular Microsoft Visual Studio Code editor plug-ins could allow attackers to execute malware by tricking developers into clicking links. This raises concerns that code editor extensions can be used as a way to disrupt the development environment.
In the VS Code Marketplace, these two extensions (“Open in Default Browser” and “Instant Price Reduction”) account for more than 600,000 downloads. This is respectable, but not close to the most popular plugins for processing codes in popular languages (such as Python and C), which have tens of millions of downloads. Snyk developer advocacy director Liran Tal said that although Snyk disclosed these issues responsibly and has patched them, the research should raise concerns about whether other extensions have similar issues.
He said the question is whether Microsoft’s Visual Studio Code, GitHub’s Atom and other extensible code editors have undergone adequate security assessments.
Tarr said: “I believe this is just the tip of the iceberg.” “Although our research only covers this specific attack vector in the publication, when looking at the following, popular extensions are unlikely to encounter similar problems. [other] the study [into] VS Code extension, I hope this field is still a gold mine for researchers. “
In the past decade, extensible code editors have flourished. Microsoft said a year ago that Microsoft’s focus on supporting multiple programming languages and frameworks has made Visual Studio Code extremely popular with 11 million current users. According to a 2019 StackOverflow survey, overall, about 51% of developers use coding platforms, while another 23% of users use Sublime Text, and 13% of users use GitHub’s Atom.
Snyk said in the vulnerability analysis: “From a developer’s point of view,…you should pay more attention to and be aware of the extensions you have installed.” “Unfortunately, there is currently no review of the security of extensions on the market. tool.”
The attacker’s interest is understandable, because the software supply chain allows compromises to be used to attack larger games. For example, earlier this month, when an attacker accessed the company’s code repository, the vulnerability management company Rapid7 became the latest company to target its developers. The company said that the Rapid7 vulnerability highlights the power of this attack, which occurred due to an earlier attack on the third-party code inspection tool Codecov.
Attackers use similar techniques to lock open source projects, or insert themselves as legitimate developers, or in some cases control the project, and then modify the code.
The Cybersecurity and Infrastructure Security Agency CISA said in an April 2021 advisory report: “The consequences of software supply chain attacks can be severe,” “By damaging software vendors, they bypassed border routers, firewalls and other perimeters. Security measures and obtain preliminary access rights.”
Extensible code editors may provide a fertile field for vulnerability seekers and attackers. Depending on the settings of the developer’s environment, the vulnerabilities discovered by Snyk may have multiple effects. For the Instant Markdown extension, just open the README file of the repository to start the web server on a specific port (8090) to view the file. But the extension has a special vulnerability called path traversal, which allows an attacker to reversely convert it from the current directory to a completely different parent directory.
Snyk pointed out in the report: “Extensions seem to be just extended IDE functions, but their explosion radius is much more serious.” “The extension functions on the developer’s laptop are threatened, which at least means that the attacker has made a hole in the firewall. , And gained access to the internal company network.”
To ensure the safety of the ecosystem, more security checks are required, and a better way to communicate with users to check the degree of editor plugins. Snyk’s Tal said that at least, developers who release and maintain extensions for any platform, whether it is VS Code or an open source framework, should use modern security tools to check the security of the code.
For their own work, developers should choose the most popular extensions so that the teams and user groups that maintain the code can benefit from more stringent reviews. In addition, developers should conduct their own research on potential security issues found in specific extensions and the speed at which maintainers can resolve issues.
Tarr said: “Check to see if the extension is actively maintained so that you are aware of all unresolved issues. I hope our publication will draw people’s attention to this issue.”
A senior technical reporter for more than 20 years. Former research engineer. Wrote for more than twenty publications, including CNET News.com, “Dark Reading”, “MIT Technology Review”, “Popular Science” and “Cable News”.Won five awards in journalism, including the best deadline…View full bio