Paul’s Security Weekly (Video)
Technology
Sonar Vulnerability Researchers Thomas Chauchefoin and Paul Gerste conducted research on the security of Visual Studio Code — the most popular code editor out there — which was presented at DEF CON 31 in August. The pair uncovered a few ways for attackers to gain code execution on a victim's computer if they clicked on a specially crafted link or opened a malicious folder in Visual Studio Code, bypassing existing mitigations like Workspace Trust. Developers tend to trust their IDEs and do not expect such security issues to exist. As developers have access to source code and production systems, they make for very interesting targets for threat actors. Important to note is that the security concepts that the two are able to demonstrate apply not just to Visual Studio Code, but to most other code editors. This is also the story of how the researchers got an unexpected $30,000 bounty from Microsoft for these bugs, by mistake!
Segment Resources:
BLOG POSTS Securing Developer Tools: Argument Injection in Visual Studio Code (https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/) Securing Developer Tools: Git Integrations (https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/)
CVEs CVE-2023-36742 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742) CVE-2022-30129 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30129) CVE-2021-43891 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43891)
Show Notes: https://securityweekly.com/psw-804
Embracing AI - Alex Sharpe - PSW #810
Holiday News Edition Featuring Special Guests - PSW #809
Vulnerability Management and Disclosure - PSW #809
Hardware Hacking - PSW #809
Vulnerability Reporting, Zyxel, GPS Spoofing - PSW #808
AI, LLMs and Some Hardware Hacking - Matthew Carpenter - PSW #808
AI and LLMs - Think of the Children - Josh More - PSW #808
Interview with Brian Snow - PSW Vault
SSH Under Attack, IoT Routers, BLE Spam, & Patching a House of Cards - PSW #807
3 Layers of App Security to Keep Hackers Out, Let Customers In - Aviad Mizrachi - PSW #807
Firmware, Mainframes, Security and Risk - PSW #806
Testing AI Before It Comes To Get You - Austin Carson - PSW #806
Source Code Revealed, Resume Prompt Injection, iPhones Be Updating, & Florida Man - PSW #805
Trustworthy AI for National Security - Kathleen Fisher - PSW #805
Shenanigans and more - PSW #804
Fried Squid, Flipper Zero BLM Spam, Apple Devices, Signal Vulns? & Android TV Devices - PSW #803
Meet the Cyber Mercenary who can Overthrow a Government - Chris Rock - PSW #803
Android TVs (Malware Included), Patch Netscaler, Fixing Legacy Auth, & GNOME Bugs! - PSW #802
Getting Started With Reverse Engineering Hardware - PSW #802
Create your
podcast in
minutes
It is Free
Insight Story: Tech Trends Unpacked
Zero-Shot
Fast Forward by Tomorrow Unlocked: Tech past, tech future
The Unbelivable Truth - Series 1 - 26 including specials and pilot
Darknet Diaries