Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

5/28/2021
10:20 AM
50%
50%

Plug-ins for Code Editors Pose Developer-Security Threat

There are two critical vulnerabilities in plug-ins for the popular Visual Studio Code editor, now patched, but security firm Snyk warns that popular plug-ins could put development environments in jeopardy.

Vulnerabilities discovered in two plug-ins for Microsoft's popular Visual Studio Code editor could allow an attacker to execute malware by tricking a developer into clicking a link, software security firm Snyk says in a new analysis. This raises concerns that code editor extensions could be used as a way to compromise development environments.

The two extensions — Open in Default Browser and Instant Markdown — account for more than 600,000 downloads in the VS Code Marketplace. That's respectable but not close to the most popular plug-ins for handling code in popular languages, such as Python and C, which have tens of millions of downloads. While Snyk responsibly disclosed the issues and they are now patched, the research should raise concerns about whether other extensions have similar problems, says Kirill Efimov, a Snyk security researcher.

Related Content:

Attackers Turn Struggling Software Projects Into Trojan Horses

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Are Cyber Insurance Companies Assessing Ransomware Risk?

The question is whether Microsoft's Visual Studio Code, GitHub's Atom, and other extensible code editors have had enough security assessments, he says.

"I believe this is only the tip of the iceberg," Efimov says. "While only this specific attack vector in the publication is covered by our research and it's not likely popular extensions have similar issues, when looking at [other] research [into] VS Code extensions, I expect this area is still a gold mine for researchers."

Extensible code editors have taken off over the last decade. Microsoft's focus on supporting a wide variety of programming languages and frameworks has made its Visual Studio Code incredibly popular with 11 million current users, Microsoft stated a year ago. Overall, approximately 51% of developers use the coding platform, while another 23% use Sublime Text, and 13% use GitHub's Atom, according to the 2019 StackOverflow survey.

"From the developer’s point of view, ... you should be more concerned and conscious of the extensions you install," Snyk states in the vulnerability analysis. "Unfortunately, there are currently no tools for vetting extension security built into the marketplace."

Attackers' interest is understandable as the software supply chain allows compromises to be leveraged to attack bigger game. Earlier this month, for example, vulnerability management firm Rapid7 became the latest company to have its developers targeted when attackers accessed the company's code repositories. Highlighting the power of such attacks, the Rapid7 breach happened because of an earlier attack on third-party code-checking tool Codecov, the company says.

Attackers use similar techniques to target open source projects, either inserting themselves as a legitimate developer or, in some cases, taking control of a project and then modifying the code

"The consequences of a software supply chain attack can be severe," the Cybersecurity and Infrastructure Security Agency CISA stated in an advisory in April 2021. "By compromising a software vendor, they bypass perimeter security measures like border routers, firewalls, etc., and gain initial access."

Extensible code editors may represent a fertile field for vulnerability seekers and attackers. The vulnerabilities found by Snyk could have a variety of impacts depending on the setup of the developer's environment. In the case of the Instant Markdown extension, just opening a repository's README file starts a Web server on a particular port (8090) as a way to view the file. Yet the extension has a particular vulnerability, known as path traversal, that allows attackers to reverse their way from the current directory to a completely different parent directory.

"It may seem that an extension is merely an extended IDE capability, but their blast radius is significantly more severe than that," Snyk states in the advisory. "A compromised extension on a developer's laptop means that, at the very least, the attacker had punched a hole through the firewall and gained access to internal corporate networks." 

Keeping the ecosystem secure requires more security checks and a better way to communicate to users the degree to which editor plug-ins have been checked. At the very least, the developers who publish and maintain extensions for any platform, whether VS Code or an open source framework, should use modern security tools to check the security of the code, Snyk's Efimov says. 

For their own work, developers should select the most popular extension to benefit from greater scrutiny by both the team maintaining the code and the user base. In addition, developers should do their own research on potential security issues discovered in specific extensions and how quickly the maintainers resolve issues.

"Check if an extension is actively maintained so you're in the know about any open issues," Efimov says, adding: "I hope our publication will trigger attention to this problem."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.