October 13, 2023 at 11:38AM
A single-click exploit has raised concerns about the security of Microsoft’s Visual Studio IDE once again. Developed by security researcher Zhiniang Peng, the exploit takes advantage of the default implementation of the IDE’s “trusted locations” feature. Peng argues that enabling this feature by default would protect users from potential attacks, but Microsoft has declined to comment on why user intervention is still required. The exploit involves manipulating a binary file to trigger code execution, and Peng highlights the difficulty in detecting and understanding the file’s structure. Microsoft does not consider this issue a security vulnerability and has no plans to patch it.
Key takeaways from the meeting notes are:
1. Weaknesses in the security of Microsoft’s Visual Studio IDE have been highlighted again with a new exploit.
2. The exploit exploits the default implementation of the IDE’s “trusted locations” feature, which is not enabled by default.
3. The exploit involves a maliciously crafted project that can achieve remote code execution (RCE) before the project even compiles.
4. The attack is deceptive because the malicious files are hidden and difficult to find and read.
5. Microsoft does not consider this issue to be a security vulnerability and has not patched it.
6. Microsoft recommends users manually enable the “trusted locations” feature to reduce the security risk.
7. The Mark of the Web (MOTW) feature is also not adhered to in Visual Studio, allowing files downloaded over HTTP to be opened without warnings.
8. The lack of default security measures poses a significant risk to unaware users.
9. Microsoft does not consider these issues to be vulnerabilities and does not plan to fix them.