[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Missing Trust Validation in Visual Studio's VSIX Installer
From: "Ostovary, Daniel" <daniel.ostovary () rubicon ! eu>
Date: 2020-08-26 13:37:21
Message-ID: 5ce22cf256fd4c35a78035b7c50c903c () rubicon ! eu
[Download RAW message or body]
Hi,
we have recently discovered a vulnerability in the VSIX Installer of Visual Studio. More \
specifically, the vulnerability existed in the validation of VSIX package signatures. This \
vulnerability allowed attackers
* to 'revive' expired code-signing certificates for VSIX package signatures and
* to maliciously modify timestamps when intercepting timestamp requests for VSIX package \
signatures.
For more details see here:
https://about.signpath.io/blog/2020/08/26/on-the-importance-of-trust-validation.html
Best regards,
SignPath
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic