Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

End of Bibblio RCM includes -->

Plug-ins for Code Editors Pose Developer-Security Threat

There are two critical vulnerabilities in plug-ins for the popular Visual Studio Code editor, now patched, but security firm Snyk warns that popular plug-ins could put development environments in jeopardy.

Vulnerabilities discovered in two plug-ins for Microsoft's popular Visual Studio Code editor could allow an attacker to execute malware by tricking a developer into clicking a link, software security firm Snyk says in a new analysis. This raises concerns that code editor extensions could be used as a way to compromise development environments.

The two extensions — Open in Default Browser and Instant Markdown — account for more than 600,000 downloads in the VS Code Marketplace. That's respectable but not close to the most popular plug-ins for handling code in popular languages, such as Python and C, which have tens of millions of downloads. While Snyk responsibly disclosed the issues and they are now patched, the research should raise concerns about whether other extensions have similar problems, says Kirill Efimov, a Snyk security researcher.

Related Content:

Attackers Turn Struggling Software Projects Into Trojan Horses

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Are Cyber Insurance Companies Assessing Ransomware Risk?

The question is whether Microsoft's Visual Studio Code, GitHub's Atom, and other extensible code editors have had enough security assessments, he says.

"I believe this is only the tip of the iceberg," Efimov says. "While only this specific attack vector in the publication is covered by our research and it's not likely popular extensions have similar issues, when looking at [other] research [into] VS Code extensions, I expect this area is still a gold mine for researchers."

Extensible code editors have taken off over the last decade. Microsoft's focus on supporting a wide variety of programming languages and frameworks has made its Visual Studio Code incredibly popular with 11 million current users, Microsoft stated a year ago. Overall, approximately 51% of developers use the coding platform, while another 23% use Sublime Text, and 13% use GitHub's Atom, according to the 2019 StackOverflow survey.

"From the developer’s point of view, ... you should be more concerned and conscious of the extensions you install," Snyk states in the vulnerability analysis. "Unfortunately, there are currently no tools for vetting extension security built into the marketplace."

Attackers' interest is understandable as the software supply chain allows compromises to be leveraged to attack bigger game. Earlier this month, for example, vulnerability management firm Rapid7 became the latest company to have its developers targeted when attackers accessed the company's code repositories. Highlighting the power of such attacks, the Rapid7 breach happened because of an earlier attack on third-party code-checking tool Codecov, the company says.

Attackers use similar techniques to target open source projects, either inserting themselves as a legitimate developer or, in some cases, taking control of a project and then modifying the code

"The consequences of a software supply chain attack can be severe," the Cybersecurity and Infrastructure Security Agency CISA stated in an advisory in April 2021. "By compromising a software vendor, they bypass perimeter security measures like border routers, firewalls, etc., and gain initial access."

Extensible code editors may represent a fertile field for vulnerability seekers and attackers. The vulnerabilities found by Snyk could have a variety of impacts depending on the setup of the developer's environment. In the case of the Instant Markdown extension, just opening a repository's README file starts a Web server on a particular port (8090) as a way to view the file. Yet the extension has a particular vulnerability, known as path traversal, that allows attackers to reverse their way from the current directory to a completely different parent directory.

"It may seem that an extension is merely an extended IDE capability, but their blast radius is significantly more severe than that," Snyk states in the advisory. "A compromised extension on a developer's laptop means that, at the very least, the attacker had punched a hole through the firewall and gained access to internal corporate networks." 

Keeping the ecosystem secure requires more security checks and a better way to communicate to users the degree to which editor plug-ins have been checked. At the very least, the developers who publish and maintain extensions for any platform, whether VS Code or an open source framework, should use modern security tools to check the security of the code, Snyk's Efimov says. 

For their own work, developers should select the most popular extension to benefit from greater scrutiny by both the team maintaining the code and the user base. In addition, developers should do their own research on potential security issues discovered in specific extensions and how quickly the maintainers resolve issues.

"Check if an extension is actively maintained so you're in the know about any open issues," Efimov says, adding: "I hope our publication will trigger attention to this problem."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-33187
PUBLISHED: 2022-12-09
Brocade SANnav before v2.2.1 logs usernames and encoded passwords in debug-enabled logs. The vulnerability could allow an attacker with admin privilege to read sensitive information.
CVE-2022-38765
PUBLISHED: 2022-12-09
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
CVE-2022-41947
PUBLISHED: 2022-12-08
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Through various features of DHIS2, an authenticated user may be able to upload a file which includes embedded javascript. The user could then potentially trick another authenticated use...
CVE-2022-41948
PUBLISHED: 2022-12-08
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Affected versions are subject to a privilege escalation vulnerability. A DHIS2 user with authority to manage users can assign superuser privileges to themself by manually crafting an HT...
CVE-2022-23469
PUBLISHED: 2022-12-08
Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header a...