Missing Trust Validation in Visual Studio’s VSIX Installer

Posted by Ostovary, Daniel on Aug 29

Hi,

we have recently discovered a vulnerability in the VSIX Installer of Visual Studio. More specifically, the
vulnerability existed in the validation of VSIX package signatures. This vulnerability allowed attackers

* to ‘revive’ expired code-signing certificates for VSIX package signatures and

* to maliciously modify timestamps when intercepting timestamp requests for VSIX package signatures.

For more details see…

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Patreon

Original Source