Researcher Drops a New VS Code Zero-Day After Losing Trust in Microsoft’s Disclosure Process

Key Points:

• A new zero-day vulnerability in Visual Studio Code (VS Code) allows attackers to steal OAuth tokens from users, granting access to all repositories the user can access.
• The vulnerability is present in github.dev, where an attacker can exploit the OAuth token's lack of scoping to recommend malicious extensions that install without user consent, potentially compromising private repositories.
• Immediate actions include advising users to refrain from using github.dev until a patch is released and encouraging Microsoft to improve its security disclosure process.

Technical Details: The vulnerability allows an attacker to manipulate the .vscode/extensions.json file and execute hidden malicious code within Jupyter Notebooks. This leads to unauthorized installation of extensions that can access sensitive GitHub tokens.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1203 - Exploit Public-Facing Application (Initial Access)

IOCs Mentioned: None mentioned.