Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

End of Bibblio RCM includes -->

Plug-ins for Code Editors Pose Developer-Security Threat

There are two critical vulnerabilities in plug-ins for the popular Visual Studio Code editor, now patched, but security firm Snyk warns that popular plug-ins could put development environments in jeopardy.

Vulnerabilities discovered in two plug-ins for Microsoft's popular Visual Studio Code editor could allow an attacker to execute malware by tricking a developer into clicking a link, software security firm Snyk says in a new analysis. This raises concerns that code editor extensions could be used as a way to compromise development environments.

The two extensions — Open in Default Browser and Instant Markdown — account for more than 600,000 downloads in the VS Code Marketplace. That's respectable but not close to the most popular plug-ins for handling code in popular languages, such as Python and C, which have tens of millions of downloads. While Snyk responsibly disclosed the issues and they are now patched, the research should raise concerns about whether other extensions have similar problems, says Kirill Efimov, a Snyk security researcher.

Related Content:

Attackers Turn Struggling Software Projects Into Trojan Horses

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Are Cyber Insurance Companies Assessing Ransomware Risk?

The question is whether Microsoft's Visual Studio Code, GitHub's Atom, and other extensible code editors have had enough security assessments, he says.

"I believe this is only the tip of the iceberg," Efimov says. "While only this specific attack vector in the publication is covered by our research and it's not likely popular extensions have similar issues, when looking at [other] research [into] VS Code extensions, I expect this area is still a gold mine for researchers."

Extensible code editors have taken off over the last decade. Microsoft's focus on supporting a wide variety of programming languages and frameworks has made its Visual Studio Code incredibly popular with 11 million current users, Microsoft stated a year ago. Overall, approximately 51% of developers use the coding platform, while another 23% use Sublime Text, and 13% use GitHub's Atom, according to the 2019 StackOverflow survey.

"From the developer’s point of view, ... you should be more concerned and conscious of the extensions you install," Snyk states in the vulnerability analysis. "Unfortunately, there are currently no tools for vetting extension security built into the marketplace."

Attackers' interest is understandable as the software supply chain allows compromises to be leveraged to attack bigger game. Earlier this month, for example, vulnerability management firm Rapid7 became the latest company to have its developers targeted when attackers accessed the company's code repositories. Highlighting the power of such attacks, the Rapid7 breach happened because of an earlier attack on third-party code-checking tool Codecov, the company says.

Attackers use similar techniques to target open source projects, either inserting themselves as a legitimate developer or, in some cases, taking control of a project and then modifying the code

"The consequences of a software supply chain attack can be severe," the Cybersecurity and Infrastructure Security Agency CISA stated in an advisory in April 2021. "By compromising a software vendor, they bypass perimeter security measures like border routers, firewalls, etc., and gain initial access."

Extensible code editors may represent a fertile field for vulnerability seekers and attackers. The vulnerabilities found by Snyk could have a variety of impacts depending on the setup of the developer's environment. In the case of the Instant Markdown extension, just opening a repository's README file starts a Web server on a particular port (8090) as a way to view the file. Yet the extension has a particular vulnerability, known as path traversal, that allows attackers to reverse their way from the current directory to a completely different parent directory.

"It may seem that an extension is merely an extended IDE capability, but their blast radius is significantly more severe than that," Snyk states in the advisory. "A compromised extension on a developer's laptop means that, at the very least, the attacker had punched a hole through the firewall and gained access to internal corporate networks." 

Keeping the ecosystem secure requires more security checks and a better way to communicate to users the degree to which editor plug-ins have been checked. At the very least, the developers who publish and maintain extensions for any platform, whether VS Code or an open source framework, should use modern security tools to check the security of the code, Snyk's Efimov says. 

For their own work, developers should select the most popular extension to benefit from greater scrutiny by both the team maintaining the code and the user base. In addition, developers should do their own research on potential security issues discovered in specific extensions and how quickly the maintainers resolve issues.

"Check if an extension is actively maintained so you're in the know about any open issues," Efimov says, adding: "I hope our publication will trigger attention to this problem."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-35670
PUBLISHED: 2022-08-11
Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 (and earlier) and 17.012.30249 (and earlier) are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Expl...
CVE-2022-35671
PUBLISHED: 2022-08-11
Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 (and earlier) and 17.012.30249 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR....
CVE-2022-35673
PUBLISHED: 2022-08-11
Adobe FrameMaker versions 2019 Update 8 (and earlier) and 2020 Update 4 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute ...
CVE-2022-35674
PUBLISHED: 2022-08-11
Adobe FrameMaker versions 2019 Update 8 (and earlier) and 2020 Update 4 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute ...
CVE-2022-35675
PUBLISHED: 2022-08-11
Adobe FrameMaker versions 2019 Update 8 (and earlier) and 2020 Update 4 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a mal...