[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Missing Trust Validation in Visual Studio's VSIX Installer
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Missing Trust Validation in Visual Studio's VSIX Installer
- From: "Ostovary, Daniel" <daniel.ostovary@xxxxxxxxxx>
- Date: Wed, 26 Aug 2020 13:37:21 +0000
Hi,
we have recently discovered a vulnerability in the VSIX Installer of Visual
Studio. More specifically, the vulnerability existed in the validation of VSIX
package signatures. This vulnerability allowed attackers
* to 'revive' expired code-signing certificates for VSIX package
signatures and
* to maliciously modify timestamps when intercepting timestamp requests
for VSIX package signatures.
For more details see here:
https://about.signpath.io/blog/2020/08/26/on-the-importance-of-trust-validation.html
Best regards,
SignPath
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/