"Plug-ins for Code Editors Pose Developer-Security Threat"
Critical vulnerabilities were discovered in two plug-ins for Microsoft's popular Visual Studio Code editor. According to the software security firm Snyk, the exploitation of these vulnerabilities could allow an attacker to execute malware by tricking a developer into clicking a link. The firm warns that code editor extensions could allow attackers to compromise development environments. The two extensions called "Open in Default Browser" and "Instant Markdown" make up over 600,000 downloads in the Virtual Studio Code Marketplace. While the issues have now been patched, this discovery still raises concerns as to whether similar problems exist with other extensions. The question that remains is whether the security of Microsoft's Visual Studio, GitHub's Atom, and other extensible code editors have been assessed enough. Extensible code editors have grown in popularity within the past decade. The 2019 Stack Overflow survey revealed that more than 51 percent of developers use Microsoft's Visual Studio Code, while another 23 percent use Sublime Text and 13 percent use GitHub's Atom. Developers should be more concerned and careful of the extensions they install. However, the marketplace currently has no built-in tools for vetting the security of extensions. Securing the ecosystem requires more security checks and better ways to communicate the degree to which editor plug-ins have been checked to users. Developers who publish and maintain extensions for any platform should at least use modern tools to check the security of the code. This article continues to discuss the potential impacts of the two critical vulnerabilities found by Snyk, the increased popularity of extensible code editors, the lack of tools for vetting extension security, the consequences of software supply chain attacks, and how to keep the software ecosystem secure.
Dark Reading reports "Plug-ins for Code Editors Pose Developer-Security Threat"