Security Weekly Podcast Network (Video)
Technology
Sonar Vulnerability Researchers Thomas Chauchefoin and Paul Gerste conducted research on the security of Visual Studio Code — the most popular code editor out there — which was presented at DEF CON 31 in August. The pair uncovered a few ways for attackers to gain code execution on a victim's computer if they clicked on a specially crafted link or opened a malicious folder in Visual Studio Code, bypassing existing mitigations like Workspace Trust. Developers tend to trust their IDEs and do not expect such security issues to exist. As developers have access to source code and production systems, they make for very interesting targets for threat actors. Important to note is that the security concepts that the two are able to demonstrate apply not just to Visual Studio Code, but to most other code editors. This is also the story of how the researchers got an unexpected $30,000 bounty from Microsoft for these bugs, by mistake!
Segment Resources:
BLOG POSTS Securing Developer Tools: Argument Injection in Visual Studio Code (https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/) Securing Developer Tools: Git Integrations (https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/)
CVEs CVE-2023-36742 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742) CVE-2022-30129 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30129) CVE-2021-43891 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43891)
Show Notes: https://securityweekly.com/psw-804
Threat Modeling and Understanding Inherent Threats - Adam Shostack - ESW #359
TikTok, Flowmon, Cisco, Brokewell, RuggedCom, Deepfakes, Non-Competes, Aaran Leyland - SWN #381
How GenAI Can Improve SecOps - Ely Kahn - ESW #359
Your TV Is Scanning You - PSW #826
Autonomous - I don't think that word means what you think it means - ESW #359
Advising The President On Cyber-Physical Resilience - Philip Venables - PSW #826
XZ & Open Source, PuTTY's Private Keys, LeakyCLI, LLMs Writing Exploits - ASW #282
Robofly, CRUSHFTP, Github, Palo Alto, MITRE, Fancy Bear, Deepfakes, Aaran Leyland... - SWN #380
Sustainable Funding of Open Source Tools - Simon Bennetts, Mark Curphey - ASW #282
Unraveling the "Materiality" Mystery: A CISO's Guide to SEC Compliance - Mike Lyborg - BSW #347
What does DoD’s CMMC Requirement Mean for American Businesses - Edward Tuorinsky - BSW #347
Win 95, LastPass, Kubernetes, Sandworm, Bloomtech, Frontier, 911, Aaran Leyland... - SWN #379
Crazy money and crazy outcomes - cybersecurity acquisitions in all shapes and sizes - ESW #358
From Hackers to Streakers - How Counterintelligence Teams are Protecting the NFL - Joe McMann - ESW #358
Hacker Heroes - Winn Schwartau - PSW #825
PCI 4.0 - PSW #825
Arg Parsing in Rust, End of Life Hardware, CSRB & MS, Chrome’s V8 Sandbox - ASW #281
Duo, Steganography, Roku, Palo Alto, Putty, Cerebral, IPOs, SanDisk, & Josh Marpet - SWN #378
Demystifying Security Engineering Career Tracks - Karan Dwivedi - ASW #281
Generative AI Legal Challenges as SEC Charges Disrupt Journey to CISO Role - BSW #346
Create your
podcast in
minutes
It is Free
Insight Story: Tech Trends Unpacked
Zero-Shot
Fast Forward by Tomorrow Unlocked: Tech past, tech future
Black Wolf Feed (Chapo Premium Feed Bootleg)
Bannon`s War Room