If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog One of the top 10 extensions, with 73 million downloads, looks like its owned by a single dev on his personal github account.
I wonder how many fishing attempts he gets per day.
-
@GossiTheDog And this is why my work PC is locked down so tight I can't even make and run my own batch files, let alone anything .exe. The organisation actually practices the Essential Eight.
@ingram you can probably install VSCode
-
@maccruiskeen that's the main AD domain, yep. Keep in mind MS is an 80s company
@GossiTheDog@cyberplace.social @maccruiskeen@social.linux.pizza also, this is the company that chose to call a flagship product family .NET
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog lol MS didn't even follow their own guidelines
-
@maccruiskeen that's the main AD domain, yep. Keep in mind MS is an 80s company
@GossiTheDog @maccruiskeen is it pronounced corEnet or corPnet?
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog "how can you be so mean! We added a dialog bump 'do you trust this developer XiJinPing'"
Same thing all over again, applications, consent dialogs, browser extensions, IDE plugins, ...
Trusting that your users have sane judgement, prepare to mop! -
They recently added a feature to control what publishers are allowed
Centrally manage VS Code settings with policies
Enterprise policies in Visual Studio Code enable organizations to centrally manage settings for their development teams. This reference details the available policies and how to implement them.
(code.visualstudio.com)
@ConanChiles @GossiTheDog And here I am just thinking "An open repository system where you add allowed sources would have allowed for better control from the start"
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog ....
.......
and here I thought npm was bad. Sweet moldy cheezus on stale wonderbread with a radiator moonshine chaser and a frop stash full of ergot.
-
@GossiTheDog its permanently trying to make you add extensions, and the whole "trust this directory" prompt mapping to "run any code in this external repo" feature seems designed to fun the north korean government.
It's reasonably lightweight, but I don't trust it any more as even if I only use it for text editing, it's too willing to run code from external sources
@GossiTheDog in their favour: MSFT are showing how they've successfully implemented a cross-platform vulnerability ecosystem. ActiveX was windows only
-
@GossiTheDog @maccruiskeen is it pronounced corEnet or corPnet?
@neffo @GossiTheDog @maccruiskeen coreP0WNED
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
Tried VScode, it was not really bad - except for my taste ate too much RAM, which becomes precious with all that AI and Browser-engine Apps.
Still looking for something better than Notepad++ having:
- low mem footprint
- (relatively) fast
- plugin/built-in support for couple languages I need -
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog Just got notified by regular old Visual Studio that there is an update 18.6.1 except there are no release notes for 18.6.1.
So now I'm left wondering if this is a fix for a security flaw I should install right now or the result of a supply side attack facilitated by a security flaw I should definitely not install.
Whichever is the truth, I'm sure the correct approach is to ask CoPilot what to do, right Microsoft?
-
@GossiTheDog "how can you be so mean! We added a dialog bump 'do you trust this developer XiJinPing'"
Same thing all over again, applications, consent dialogs, browser extensions, IDE plugins, ...
Trusting that your users have sane judgement, prepare to mop!@brnrd Seems like they pioneered this model back with ActiveX plugins:
(A) trust this plugin to do anything it wants, even if it’s malicious,
(B) don’t let this plugin do anything, no matter how useful
(C) Maybe later (the 2020s enhanced version of this choice) -
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog Was a bit shocked, when I discovered it's just installed into the user's home directory.
-
@GossiTheDog hell even opening a repo in vscode can cause code execution in multiple ways. It is basically impossible to use securely.
GitHub - emilyselwood/self_deleting_repo: A repo that deletes it self when it opens in an editor.
A repo that deletes it self when it opens in an editor. - emilyselwood/self_deleting_repo
GitHub (github.com)
@emily_s @GossiTheDog sounds like this only happens when you trust the folder when it asks for permission. https://www.devclass.com/development/2026/01/22/vs-code-tasks-config-file-abused-to-run-malicious-code/4079547
-
@emily_s @GossiTheDog sounds like this only happens when you trust the folder when it asks for permission. https://www.devclass.com/development/2026/01/22/vs-code-tasks-config-file-abused-to-run-malicious-code/4079547
@binford2k @GossiTheDog yes... Do you know every single thing you need to check before clicking that button on a repo? Do you check all changes to all repos you've clicked that button on before you open your editor? Do you keep track of all changes to all of your plug-ins to check if they've added yet another way to trip this class of thing? (plugin's that silently update by default)
That button is entirely so lawyers can say "Well we warned you" and not actually provide any security.
-
@binford2k @GossiTheDog yes... Do you know every single thing you need to check before clicking that button on a repo? Do you check all changes to all repos you've clicked that button on before you open your editor? Do you keep track of all changes to all of your plug-ins to check if they've added yet another way to trip this class of thing? (plugin's that silently update by default)
That button is entirely so lawyers can say "Well we warned you" and not actually provide any security.
@emily_s @GossiTheDog I’m just saying that if you open a freshly cloned repo and vscode says “yo dude, can this repo run some code?” and you say “hell yeah sounds like a great time, I trust that repo, run some code” then you shouldn’t be surprised when the repo runs some code.
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
And if you like me don’t use VS Code, don’t feel smug: our editors ($VIM, Emacs, etc.) don’t even have any marketplace and pull executable code from completely random places on the Internet (mostly GitHub, which we know how secure it is).
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog
Nothing surprising here.Microsoft traditionally has the MSDOS & Windows 3.11 security mindset, which only is replaced surgically with something better. But the default is no security.
Prove me wrong.
-
@GossiTheDog in their favour: MSFT are showing how they've successfully implemented a cross-platform vulnerability ecosystem. ActiveX was windows only
@stevel
Do you know my CEO colleague, he insists on positive formulations even if you just report the end of world. "And finally I've got an incredible deal at the end of the world sales for cloud resources for the period after the big rock will hit earth and exterminate all life more advanced than bacteria. Our year-end bonuses are safe!"But yes active-x was unfairly windows only, we non windows users were discriminated against.
@GossiTheDog
