Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Plug-ins for Code Editors Pose Developer-Security Threat

There are two critical vulnerabilities in plug-ins for the popular Visual Studio Code editor, now patched, but security firm Snyk warns that popular plug-ins could put development environments in jeopardy.

Vulnerabilities discovered in two plug-ins for Microsoft's popular Visual Studio Code editor could allow an attacker to execute malware by tricking a developer into clicking a link, software security firm Snyk says in a new analysis. This raises concerns that code editor extensions could be used as a way to compromise development environments.

The two extensions — Open in Default Browser and Instant Markdown — account for more than 600,000 downloads in the VS Code Marketplace. That's respectable but not close to the most popular plug-ins for handling code in popular languages, such as Python and C, which have tens of millions of downloads. While Snyk responsibly disclosed the issues and they are now patched, the research should raise concerns about whether other extensions have similar problems, says Kirill Efimov, a Snyk security researcher.

Related Content:

Attackers Turn Struggling Software Projects Into Trojan Horses

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Are Cyber Insurance Companies Assessing Ransomware Risk?

The question is whether Microsoft's Visual Studio Code, GitHub's Atom, and other extensible code editors have had enough security assessments, he says.

"I believe this is only the tip of the iceberg," Efimov says. "While only this specific attack vector in the publication is covered by our research and it's not likely popular extensions have similar issues, when looking at [other] research [into] VS Code extensions, I expect this area is still a gold mine for researchers."

Extensible code editors have taken off over the last decade. Microsoft's focus on supporting a wide variety of programming languages and frameworks has made its Visual Studio Code incredibly popular with 11 million current users, Microsoft stated a year ago. Overall, approximately 51% of developers use the coding platform, while another 23% use Sublime Text, and 13% use GitHub's Atom, according to the 2019 StackOverflow survey.

"From the developer’s point of view, ... you should be more concerned and conscious of the extensions you install," Snyk states in the vulnerability analysis. "Unfortunately, there are currently no tools for vetting extension security built into the marketplace."

Attackers' interest is understandable as the software supply chain allows compromises to be leveraged to attack bigger game. Earlier this month, for example, vulnerability management firm Rapid7 became the latest company to have its developers targeted when attackers accessed the company's code repositories. Highlighting the power of such attacks, the Rapid7 breach happened because of an earlier attack on third-party code-checking tool Codecov, the company says.

Attackers use similar techniques to target open source projects, either inserting themselves as a legitimate developer or, in some cases, taking control of a project and then modifying the code

"The consequences of a software supply chain attack can be severe," the Cybersecurity and Infrastructure Security Agency CISA stated in an advisory in April 2021. "By compromising a software vendor, they bypass perimeter security measures like border routers, firewalls, etc., and gain initial access."

Extensible code editors may represent a fertile field for vulnerability seekers and attackers. The vulnerabilities found by Snyk could have a variety of impacts depending on the setup of the developer's environment. In the case of the Instant Markdown extension, just opening a repository's README file starts a Web server on a particular port (8090) as a way to view the file. Yet the extension has a particular vulnerability, known as path traversal, that allows attackers to reverse their way from the current directory to a completely different parent directory.

"It may seem that an extension is merely an extended IDE capability, but their blast radius is significantly more severe than that," Snyk states in the advisory. "A compromised extension on a developer's laptop means that, at the very least, the attacker had punched a hole through the firewall and gained access to internal corporate networks." 

Keeping the ecosystem secure requires more security checks and a better way to communicate to users the degree to which editor plug-ins have been checked. At the very least, the developers who publish and maintain extensions for any platform, whether VS Code or an open source framework, should use modern security tools to check the security of the code, Snyk's Efimov says. 

For their own work, developers should select the most popular extension to benefit from greater scrutiny by both the team maintaining the code and the user base. In addition, developers should do their own research on potential security issues discovered in specific extensions and how quickly the maintainers resolve issues.

"Check if an extension is actively maintained so you're in the know about any open issues," Efimov says, adding: "I hope our publication will trigger attention to this problem."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-1678
PUBLISHED: 2022-05-25
An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients.
CVE-2021-32966
PUBLISHED: 2022-05-25
Philips Interoperability Solution XDS versions 2.5 through 3.11 and 2018-1 through 2021-1 are vulnerable to clear text transmission of sensitive information when configured to use LDAP via TLS and where the domain controller returns LDAP referrals, which may allow an attacker to remotely read LDAP s...
CVE-2021-32989
PUBLISHED: 2022-05-25
When a non-existent resource is requested, the LCDS LAquis SCADA application (version 4.3.1.1011 and prior) returns error messages which may allow reflected cross-site scripting.
CVE-2021-32997
PUBLISHED: 2022-05-25
The affected Baker Hughes Bentley Nevada products (3500 System 1 6.x, Part No. 3060/00 versions 6.98 and prior, 3500 System 1, Part No. 3071/xx & 3072/xx versions 21.1 HF1 and prior, 3500 Rack Configuration, Part No. 129133-01 versions 6.4 and prior, and 3500/22M Firmware, Part No. 288055-01 ver...
CVE-2021-35487
PUBLISHED: 2022-05-25
Nokia Broadcast Message Center through 11.1.0 allows an authenticated user to perform a Boolean Blind SQL Injection attack on the endpoint /owui/block/send-receive-updates (for the Manage Alerts page) via the extIdentifier HTTP POST parameter. This allows an attacker to obtain the database user, dat...