"Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer"

According to security researchers, an "easily exploitable" vulnerability in the Microsoft Visual Studio installer could be exploited by an attacker to impersonate a legitimate publisher and distribute malicious extensions. Dolev Taler, a researcher at Varonis, noted that a threat actor could impersonate a well-known publisher and distribute a malicious extension to compromise a targeted system. Malicious extensions have been used to steal sensitive data, access and modify code, and take complete control of a system. Microsoft addressed the spoofing flaw, tracked as CVE-2023-28299 with a CVSS score of 5.5, as part of its Patch Tuesday updates for April 2023. Varonis discovered that the flaw stems from the Visual Studio user interface that enables the spoofing of publisher digital signatures. This article continues to discuss the potential exploitation and impact of the flaw found in the Microsoft Visual Studio installer. 

THN reports "Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer"