Kevin Beaumont5h ago

RE: https://hachyderm.io/@ChrisShort/116606591908387955

If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.

The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.

Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.

VSCode is an absolute security shittip as a result.

Show threadKevin Beaumont5h ago

Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.

I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.

Show threadD Ingram4h ago
@GossiTheDog And this is why my work PC is locked down so tight I can't even make and run my own batch files, let alone anything .exe. The organisation actually practices the Essential Eight.
Show threadKevin Beaumont
@ingram you can probably install VSCode 😅
12:55pmWeb