Security experts are alerting users about a vulnerability in the Microsoft Visual Studio installer that enables hackers to distribute harmful extensions to application developers while posing as a trusted software vendor. From there, they may get into environments where software is being developed, seize control, poison code, steal highly valuable intellectual property, and more.
The CVE-2023-28299 spoofing vulnerability was patched by Microsoft as part of its April security release. At the time, the business rated the bug as having a low likelihood of being exploited and categorised the vulnerability as having a moderate severity. However, the Varonis researchers who first identified the vulnerability provided a somewhat different perspective on the flaw and its potential consequences in a blog post this week.