Kevin Beaumont on Nostr: Expect many more of these. VSCode is an absolute security trash fire, MS Security ...
Expect many more of these. VSCode is an absolute security trash fire, MS Security needs to have a word with MS.
- It installs as non-admin
- There are no security controls *at all* around marketplace access
- addons update automatically and are required
- No vetting
- Blue tick verification just needs any domain name
- Source code link on addons doesn’t need to match the addons
- Allows RCE by design
- The marketplace is absolutely riddled with malware
https://www.bleepingcomputer.com/news/security/vscode-extensions-with-9-million-installs-pulled-over-security-risks/
- It installs as non-admin
- There are no security controls *at all* around marketplace access
- addons update automatically and are required
- No vetting
- Blue tick verification just needs any domain name
- Source code link on addons doesn’t need to match the addons
- Allows RCE by design
- The marketplace is absolutely riddled with malware
https://www.bleepingcomputer.com/news/security/vscode-extensions-with-9-million-installs-pulled-over-security-risks/