Calls for Visual Studio security tweak fall on deaf ears despite one-click RCE exploit

Perceived weaknesses successful nan information of Microsoft's Visual Studio IDE are being raised erstwhile again this week pinch a caller single-click exploit.

Developed by Zhiniang Peng, main information interrogator and main designer of information astatine Sangfor, nan impervious of conception (PoC) exploits nan default implementation of nan IDE's "trusted locations" feature.

Following nan 2021 targeting of information researchers by North Korea's state-sponsored violative cyber group Lazarus, Microsoft rolled retired trusted locations to forestall malicious Visual Studio projects being utilized to execute distant codification execution (RCE).

Published this week, Peng's utilization highlights really this characteristic that could forestall a tried and tested onslaught vector is still not enabled by default, putting unaware users astatine risk.

Peng based on that enabling nan characteristic by default would spell a agelong measurement to protecting developers opening projects from nan web, but Microsoft has declined to remark connected why personification involution is still required to use from nan feature.

Microsoft told nan interrogator that it doesn't see nan rumor to beryllium tantamount to a information vulnerability, saying that opening a Visual Studio task downloaded from a level for illustration GitHub is inherently "an insecure operation."

The utilization itself involves a maliciously crafted task that's downloaded and opened connected a user's machine. Peng devised a measurement to execute RCE earlier a task moreover compiles.

It involves utilizing nan .suo binary file, 1 that's automatically created wrong a .vs files erstwhile a task is opened, which tin beryllium manipulated to trigger codification execution.

What makes nan onslaught particularly deceptive is nan truth that folders and files opening pinch a play aren't displayed by default successful a project's record explorer, meaning it requires further manual effort to find these, and moreover erstwhile they are found, they're much difficult to publication than plaintext files.

"There is besides constricted archiving describing nan building of this file, making it easier to place moreover pinch observant inspection," Peng said.

The researcher's afloat writeup specifications nan exploit's soul workings astatine length, and while it's acold from a caller onslaught vector, Peng was keen to item Microsoft's longstanding stance connected nan rumor – that it doesn't see it a existent vulnerability and frankincense won't beryllium patched.

After Lazarus started targeting information researchers pinch Visual Studio exploits successful 2021, Microsoft's trusted locations characteristic was designed to automatically coming a personification who opened an untrusted Visual Studio task pinch a dialog window, informing of nan information risks associated pinch opening projects downloaded from nan web.

Trusted locations besides yet received an update adding a "restricted mode" to that dialog box, allowing users to unfastened projects successful a safer measurement that wouldn't let for immoderate codification to beryllium executed connected nan machine.

"After enabling [trusted locations], each contented opened wrong Visual Studio 2022 is considered untrusted until you aliases your statement (via Group Policy) adds it to nan database of 'trusted locations'," Microsoft said successful a blog post astatine nan time.

• It's 2023 and Microsoft WordPad tin beryllium exploited to hijack susceptible systems
• Researcher bags two-for-one woody connected Linux bugs while probing GNOME component
• Trio of TorchServe flaws intends PyTorch users request an urgent upgrade
• Thousands of Juniper Junos firewalls still unfastened to hijacks, utilization codification disposable to all

"You tin spot a files location, a git repository, aliases a git repository proprietor straight from nan spot dialog aliases nan spot settings dialog."

The rumor Peng raised is that trusted locations is simply a characteristic users must alteration manually and isn't enabled by default, which is still nan lawsuit successful 2023.

A Microsoft spokesperson dodged The Register's questions astir why trusted locations isn't enabled by default and whether nan latest PoC would alteration its stance connected nan matter.

However, it did supply nan pursuing statement: "To trim nan information consequence of moving pinch untrusted code, we urge customers travel our guidance connected really to configure spot settings to amended protect themselves.

"In summation to nan information characteristic improvements we person already announced, we will proceed to measure our services to thief protect our customers from these types of threats."

"This mounting needs to beryllium manually enabled," Peng said. "However, moreover 2 years aft nan article was published, this mounting remains abnormal by default. There mightiness beryllium thing preventing Visual Studio from enabling it."

Mark of nan Web (MOTW) besides isn't adhered to successful Visual Studio, Peng said, and solution (.sln) files downloaded complete HTTP tin beryllium opened without immoderate MOTW-related warnings.

MOTW is simply a information characteristic first implemented successful Internet Explorer that tags files downloaded from nan net truthful Microsoft Defender SmartScreen is triggered to execute other information checks.

"All successful all, we tin bypass nan double protection of spot zones and MOTW without immoderate effort, which poses a important consequence for unaware users," Peng said.

"No SmartScreen warning, nary spot need, nary further relationship needed. But it will not beryllium fixed, because Microsoft see it's not a vulnerability."

Earlier this year, reddish squad work supplier Outflank published its ain pre-build Visual Studio utilization and was met pinch a akin consequence from Microsoft, alluding to nan truth that its ain PoC simply utilized Visual Studio's intended behavior, which doesn't warrant a fix. ®