Kevin Beaumont4h ago

RE: https://hachyderm.io/@ChrisShort/116606591908387955

If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.

The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.

Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.

VSCode is an absolute security shittip as a result.

Show threadKevin Beaumont4h ago

Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.

I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.

Show threadSteve Loughran

@GossiTheDog it is permanently trying to make you add extensions, and the whole "trust this directory" prompt mapping to "run any code in this external repo" feature seems designed to fund the north korean government.

It's reasonably lightweight, but I don't trust it any more as even if I only use it for text editing, it's too willing to run code from external sources

11:35amWeb
Show threadSteve Loughran58m ago
@GossiTheDog in their favour: MSFT are showing how they've successfully implemented a cross-platform vulnerability ecosystem. ActiveX was windows only