If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog "how can you be so mean! We added a dialog bump 'do you trust this developer XiJinPing'"
Same thing all over again, applications, consent dialogs, browser extensions, IDE plugins, ...
Trusting that your users have sane judgement, prepare to mop! -
They recently added a feature to control what publishers are allowed
Centrally manage VS Code settings with policies
Enterprise policies in Visual Studio Code enable organizations to centrally manage settings for their development teams. This reference details the available policies and how to implement them.
(code.visualstudio.com)
@ConanChiles @GossiTheDog And here I am just thinking "An open repository system where you add allowed sources would have allowed for better control from the start"
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog ....
.......
and here I thought npm was bad. Sweet moldy cheezus on stale wonderbread with a radiator moonshine chaser and a frop stash full of ergot.
-
@GossiTheDog its permanently trying to make you add extensions, and the whole "trust this directory" prompt mapping to "run any code in this external repo" feature seems designed to fun the north korean government.
It's reasonably lightweight, but I don't trust it any more as even if I only use it for text editing, it's too willing to run code from external sources
@GossiTheDog in their favour: MSFT are showing how they've successfully implemented a cross-platform vulnerability ecosystem. ActiveX was windows only
-
@GossiTheDog @maccruiskeen is it pronounced corEnet or corPnet?
@neffo @GossiTheDog @maccruiskeen coreP0WNED
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
Tried VScode, it was not really bad - except for my taste ate too much RAM, which becomes precious with all that AI and Browser-engine Apps.
Still looking for something better than Notepad++ having:
- low mem footprint
- (relatively) fast
- plugin/built-in support for couple languages I need -
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog Just got notified by regular old Visual Studio that there is an update 18.6.1 except there are no release notes for 18.6.1.
So now I'm left wondering if this is a fix for a security flaw I should install right now or the result of a supply side attack facilitated by a security flaw I should definitely not install.
Whichever is the truth, I'm sure the correct approach is to ask CoPilot what to do, right Microsoft?
-
@GossiTheDog "how can you be so mean! We added a dialog bump 'do you trust this developer XiJinPing'"
Same thing all over again, applications, consent dialogs, browser extensions, IDE plugins, ...
Trusting that your users have sane judgement, prepare to mop!@brnrd Seems like they pioneered this model back with ActiveX plugins:
(A) trust this plugin to do anything it wants, even if it’s malicious,
(B) don’t let this plugin do anything, no matter how useful
(C) Maybe later (the 2020s enhanced version of this choice) -
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog Was a bit shocked, when I discovered it's just installed into the user's home directory.
-
@GossiTheDog hell even opening a repo in vscode can cause code execution in multiple ways. It is basically impossible to use securely.
GitHub - emilyselwood/self_deleting_repo: A repo that deletes it self when it opens in an editor.
A repo that deletes it self when it opens in an editor. - emilyselwood/self_deleting_repo
GitHub (github.com)
@emily_s @GossiTheDog sounds like this only happens when you trust the folder when it asks for permission. https://www.devclass.com/development/2026/01/22/vs-code-tasks-config-file-abused-to-run-malicious-code/4079547
-
@emily_s @GossiTheDog sounds like this only happens when you trust the folder when it asks for permission. https://www.devclass.com/development/2026/01/22/vs-code-tasks-config-file-abused-to-run-malicious-code/4079547
@binford2k @GossiTheDog yes... Do you know every single thing you need to check before clicking that button on a repo? Do you check all changes to all repos you've clicked that button on before you open your editor? Do you keep track of all changes to all of your plug-ins to check if they've added yet another way to trip this class of thing? (plugin's that silently update by default)
That button is entirely so lawyers can say "Well we warned you" and not actually provide any security.
-
@binford2k @GossiTheDog yes... Do you know every single thing you need to check before clicking that button on a repo? Do you check all changes to all repos you've clicked that button on before you open your editor? Do you keep track of all changes to all of your plug-ins to check if they've added yet another way to trip this class of thing? (plugin's that silently update by default)
That button is entirely so lawyers can say "Well we warned you" and not actually provide any security.
@emily_s @GossiTheDog I’m just saying that if you open a freshly cloned repo and vscode says “yo dude, can this repo run some code?” and you say “hell yeah sounds like a great time, I trust that repo, run some code” then you shouldn’t be surprised when the repo runs some code.
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
And if you like me don’t use VS Code, don’t feel smug: our editors ($VIM, Emacs, etc.) don’t even have any marketplace and pull executable code from completely random places on the Internet (mostly GitHub, which we know how secure it is).
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog
Nothing surprising here.Microsoft traditionally has the MSDOS & Windows 3.11 security mindset, which only is replaced surgically with something better. But the default is no security.
Prove me wrong.
-
@GossiTheDog in their favour: MSFT are showing how they've successfully implemented a cross-platform vulnerability ecosystem. ActiveX was windows only
@stevel
Do you know my CEO colleague, he insists on positive formulations even if you just report the end of world. "And finally I've got an incredible deal at the end of the world sales for cloud resources for the period after the big rock will hit earth and exterminate all life more advanced than bacteria. Our year-end bonuses are safe!"But yes active-x was unfairly windows only, we non windows users were discriminated against.
@GossiTheDog -
@ingram you can probably install VSCode
@GossiTheDog
Not really, VSC let extensions bring their own binaries too, doesn't it?
@ingram -
@stevel
Do you know my CEO colleague, he insists on positive formulations even if you just report the end of world. "And finally I've got an incredible deal at the end of the world sales for cloud resources for the period after the big rock will hit earth and exterminate all life more advanced than bacteria. Our year-end bonuses are safe!"But yes active-x was unfairly windows only, we non windows users were discriminated against.
@GossiTheDog@yacc143 @GossiTheDog did get an IE3 patch out to fix an ActiveX control vulnerability back in the late 90s, it was such an easy target.
Has anything that bad shipped between then and vs.code plugins? Doubtful. Flash and java applets were trying to run in sandboxes...
#cybersecurity -
@emily_s @GossiTheDog I’m just saying that if you open a freshly cloned repo and vscode says “yo dude, can this repo run some code?” and you say “hell yeah sounds like a great time, I trust that repo, run some code” then you shouldn’t be surprised when the repo runs some code.
@binford2k
Yeah the point is that it's an utterly bad design:So you have to blindly trust the workspace directory to "auto run" in undefined (because extensions can add/modify behaviour).
Or you have to accept that a certain part of the functionality (again undefined) will be not working or working suboptimal.
And there is literally no way to safely review: give me an overview what commands does this repo configure to run.
The point is @emily_s @GossiTheDog
-
@binford2k
Yeah the point is that it's an utterly bad design:So you have to blindly trust the workspace directory to "auto run" in undefined (because extensions can add/modify behaviour).
Or you have to accept that a certain part of the functionality (again undefined) will be not working or working suboptimal.
And there is literally no way to safely review: give me an overview what commands does this repo configure to run.
The point is @emily_s @GossiTheDog
some of these configuration is totally benign and makes sense, like LSP support etc (although just blindly configuring it, risks configuring tools that are not installed on the system, but that's another story).
@emily_s @GossiTheDog @binford2k -
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog Politicians do not understand complexity really, they are specialists in tapping into the vibes of public sentiment and then crafting rhetoric to get those vibes resonating in their preferred direction.
Security is like this fractal mandelbrot surface of complexity where the more surface you generate or explore, the more vectors of attack there are. It's way too much for most people, and way too much for politicians who are only interested in what most people think.
