Select Page

Security researchers have warned about an “easily exploitable” flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions.

“A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system,” Varonis researcher Dolev Taler said. “Malicious extensions have been used to steal sensitive information, silently access and change code, or take full control of a system.”

The vulnerability, which is tracked as CVE-2023-28299 (CVSS score: 5.5), was addressed by Microsoft as part of its Patch Tuesday updates for April 2023, describing it as a spoofing flaw.

images from Hacker News