Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

5/28/2021
10:20 AM
50%
50%

Plug-ins for Code Editors Pose Developer-Security Threat

There are two critical vulnerabilities in plug-ins for the popular Visual Studio Code editor, now patched, but security firm Snyk warns that popular plug-ins could put development environments in jeopardy.

Vulnerabilities discovered in two plug-ins for Microsoft's popular Visual Studio Code editor could allow an attacker to execute malware by tricking a developer into clicking a link, software security firm Snyk says in a new analysis. This raises concerns that code editor extensions could be used as a way to compromise development environments.

The two extensions — Open in Default Browser and Instant Markdown — account for more than 600,000 downloads in the VS Code Marketplace. That's respectable but not close to the most popular plug-ins for handling code in popular languages, such as Python and C, which have tens of millions of downloads. While Snyk responsibly disclosed the issues and they are now patched, the research should raise concerns about whether other extensions have similar problems, says Kirill Efimov, a Snyk security researcher.

Related Content:

Attackers Turn Struggling Software Projects Into Trojan Horses

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Are Cyber Insurance Companies Assessing Ransomware Risk?

The question is whether Microsoft's Visual Studio Code, GitHub's Atom, and other extensible code editors have had enough security assessments, he says.

"I believe this is only the tip of the iceberg," Efimov says. "While only this specific attack vector in the publication is covered by our research and it's not likely popular extensions have similar issues, when looking at [other] research [into] VS Code extensions, I expect this area is still a gold mine for researchers."

Extensible code editors have taken off over the last decade. Microsoft's focus on supporting a wide variety of programming languages and frameworks has made its Visual Studio Code incredibly popular with 11 million current users, Microsoft stated a year ago. Overall, approximately 51% of developers use the coding platform, while another 23% use Sublime Text, and 13% use GitHub's Atom, according to the 2019 StackOverflow survey.

"From the developer’s point of view, ... you should be more concerned and conscious of the extensions you install," Snyk states in the vulnerability analysis. "Unfortunately, there are currently no tools for vetting extension security built into the marketplace."

Attackers' interest is understandable as the software supply chain allows compromises to be leveraged to attack bigger game. Earlier this month, for example, vulnerability management firm Rapid7 became the latest company to have its developers targeted when attackers accessed the company's code repositories. Highlighting the power of such attacks, the Rapid7 breach happened because of an earlier attack on third-party code-checking tool Codecov, the company says.

Attackers use similar techniques to target open source projects, either inserting themselves as a legitimate developer or, in some cases, taking control of a project and then modifying the code

"The consequences of a software supply chain attack can be severe," the Cybersecurity and Infrastructure Security Agency CISA stated in an advisory in April 2021. "By compromising a software vendor, they bypass perimeter security measures like border routers, firewalls, etc., and gain initial access."

Extensible code editors may represent a fertile field for vulnerability seekers and attackers. The vulnerabilities found by Snyk could have a variety of impacts depending on the setup of the developer's environment. In the case of the Instant Markdown extension, just opening a repository's README file starts a Web server on a particular port (8090) as a way to view the file. Yet the extension has a particular vulnerability, known as path traversal, that allows attackers to reverse their way from the current directory to a completely different parent directory.

"It may seem that an extension is merely an extended IDE capability, but their blast radius is significantly more severe than that," Snyk states in the advisory. "A compromised extension on a developer's laptop means that, at the very least, the attacker had punched a hole through the firewall and gained access to internal corporate networks." 

Keeping the ecosystem secure requires more security checks and a better way to communicate to users the degree to which editor plug-ins have been checked. At the very least, the developers who publish and maintain extensions for any platform, whether VS Code or an open source framework, should use modern security tools to check the security of the code, Snyk's Efimov says. 

For their own work, developers should select the most popular extension to benefit from greater scrutiny by both the team maintaining the code and the user base. In addition, developers should do their own research on potential security issues discovered in specific extensions and how quickly the maintainers resolve issues.

"Check if an extension is actively maintained so you're in the know about any open issues," Efimov says, adding: "I hope our publication will trigger attention to this problem."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16060
PUBLISHED: 2021-10-15
Mitsubishi Electric SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI.
CVE-2018-16061
PUBLISHED: 2021-10-15
Mitsubishi Electric SmartRTU devices allow XSS via the username parameter or PATH_INFO to login.php.
CVE-2021-27561
PUBLISHED: 2021-10-15
Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
CVE-2020-4951
PUBLISHED: 2021-10-15
IBM Cognos Analytics 11.1.7 and 11.2.0 contains locally cached browser data, that could allow a local attacker to obtain sensitive information.
CVE-2021-28021
PUBLISHED: 2021-10-15
Buffer overflow vulnerability in function stbi__extend_receive in stb_image.h in stb 2.26 via a crafted JPEG file.