Paul’s Security Weekly (Video)
Technology
Sonar Vulnerability Researchers Thomas Chauchefoin and Paul Gerste conducted research on the security of Visual Studio Code — the most popular code editor out there — which was presented at DEF CON 31 in August. The pair uncovered a few ways for attackers to gain code execution on a victim's computer if they clicked on a specially crafted link or opened a malicious folder in Visual Studio Code, bypassing existing mitigations like Workspace Trust. Developers tend to trust their IDEs and do not expect such security issues to exist. As developers have access to source code and production systems, they make for very interesting targets for threat actors. Important to note is that the security concepts that the two are able to demonstrate apply not just to Visual Studio Code, but to most other code editors. This is also the story of how the researchers got an unexpected $30,000 bounty from Microsoft for these bugs, by mistake!
Segment Resources:
BLOG POSTS Securing Developer Tools: Argument Injection in Visual Studio Code (https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/) Securing Developer Tools: Git Integrations (https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/)
CVEs CVE-2023-36742 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742) CVE-2022-30129 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30129) CVE-2021-43891 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43891)
Show Notes: https://securityweekly.com/psw-804
Your TV Is Scanning You - PSW #826
Advising The President On Cyber-Physical Resilience - Philip Venables - PSW #826
Hacker Heroes - Winn Schwartau - PSW #825
PCI 4.0 - PSW #825
Why Is Your TV & NAS On The Internet? - PSW #824
Digging Into Supply Chain Security - James McMurry - PSW #824
It's A Minifilter! - PSW #823
XZ - Backdoors and The Fragile Supply Chain - PSW #823
Crypto, Bluetooth Vulns, Unsafe Locks - PSW #822
Are we winning? - Jason Healey - PSW #822
A Dive into Vulnerabilities and Compliance - PSW #821
Securing All The Things - Josh Corman - PSW #821
Printers Are "Not Nice" - PSW #820
Memory Safety, Re-Writing Software, and OSS Supply Chains - Omkhar Arasaratnam - PSW #820
DCNextGen, Memory Safety And More! - PSW #819
Facing the Reality of Risk Prioritization - Dan DeCloss - PSW #819
Malware In Strange Places, Overheating, LockBit - PSW #818
Social Engineering: AI & Living Off The Land - Jayson E. Street - PSW #818
Illuminating Cybersecurity Wisdom: Insights from a Thought Leader - Wendy Nather - PSW Vault
Navigating the Cybersecurity Frontier: Insights from a Seasoned Professional - Toby Miller - PSW #817
Create your
podcast in
minutes
It is Free
Insight Story: Tech Trends Unpacked
Zero-Shot
Fast Forward by Tomorrow Unlocked: Tech past, tech future
Black Wolf Feed (Chapo Premium Feed Bootleg)
Bannon`s War Room