In a sense Microsoft forgot its own learnings. Because of exactly things like this they prevent UWP apps from connecting to localhost by default and make it very annoying to circumvent and from my experience, the circumvention is not exactly a stable setup. So they really don't want you to do that, and somebody thought enough to make it extra difficult. So, they have UWP, all those well thought-out policies, then make an editor ecosystem out of web technology and throw everything out of the window. No surprise from a $T company with more teams than countries on Earth that not everything is coordinated, but they should have a guy with the required knowledge and sensibilities on any major product team. Apps installed from their "store" are relatively safe, but then they put a (extension) store inside their app again, which is unsafe :/
Issues like this have been repeated countless times in various IDEs, debugger interfaces and local services using browser as UI. Developers need to stop using network sockets as IPC channels for local services unless browsers significantly increase the restrictions on cross site requests. Similar situation with regular CSRF attacks. And it needs to be opt out not opt in. As long it's a responsibility of developer to implement proper authentication checks for something they consider a local service vulnerabilities like this will keep appearing.
> Does it fix the issues? Yes.<p>> Do I think there are other security issues here and we can bypass this? Also, yes.<p>> Do I want to spend more time doing free work for a company with a 2.5 TRILLION market cap? Hell, no.<p>Troubling.
Could someone with insight give an estimate for how much you could sell an exploit like this, which let's you RCE a fair bunch of developer machines?<p>It feels that paired with a good blog (ironically about WLS) this could be very profitable, compared to the $0 MS awarded them.
The "Your editor has DRM" section alone [0] is enough for me to continue to advocate for a better user-friendly FOSS IDE, in addition to the wonderful giants of emacs & vim, and to avoid the VS Code "kool aid".<p>[0] <a href="https://parsiya.net/blog/2021-12-20-rce-in-visual-studio-codes-remote-wsl-for-fun-and-negative-profit/#your-editor-has-drm" rel="nofollow">https://parsiya.net/blog/2021-12-20-rce-in-visual-studio-cod...</a>
Kudos to the author for a fantastic write up. The structure made reading it a really pleasant learning experience - a solid table of contents, an up-front summary, and a sensible list of prerequisites and instructions for following along.
Microsoft has the best bounty hunter program: go fuck yourself.<p>If you find a way to take over MS accounts, or force email swaps, or even gamertag shanaigans, there is too much money to be made, there is not even a point for a bug bounty.<p>It's like a $40 reward for returning a purse filled with $250k.<p>I agree with OP: no more free bugs.
I've only been using VSC for about 6 months. During my the first week of use, I noted how insecure all the plugins and their communications with the main application were set up. Dismayed, I moving the workstation to an airgapped portion of my environment, and the piece of shit would not work without a net connection. So I use VCE inside a VM now. My career includes working for security companies with sensitive information and documents... VSC needs some serious redesigning with multiple experienced security engineers on the team.
If I'm reading this right, it assumes the machine's IP is publicly accessible over the internet; which I'm guessing -even with IPv6- is not the case in 99.999% of cases; who just exposes their development machine directly to the internet with a public IP?<p>Still bad, but not quite as bad as owning from the browser via localhost GET.
A bug like this shows that there is probably no security reviews done at all in the VS Code team. This would be flagged right away in a threat model review. Quite worrying.<p>Also, strange that this doesn't get a bug bounty payout - it's very severe.
What is the best alternative for TypeScript development? My favorite light-weight editor is Kakoune, but it really doesn't have enough plugins for the kind of work I do.
I don't get the video <a href="https://parsiya.net/blog/2021-12-20-rce-in-visual-studio-codes-remote-wsl-for-fun-and-negative-profit/09-poc1.gif" rel="nofollow">https://parsiya.net/blog/2021-12-20-rce-in-visual-studio-cod...</a>
He goes to the hacker website and then calculator opens?