Microsoft quietly patched its own extension: The fourth vulnerability played out differently. Microsoft’s Live Preview extension, with 11 million downloads, contained a cross-site scripting flaw that, according to OX Security, let a malicious web page enumerate files in the root of a developer’s machine and exfiltrate credentials, access keys, and other secrets.The researchers reported the issue to Microsoft on August 7. Microsoft initially rated it as low severity, citing required user interaction.”However, on September 11, 2025, without notifying us, Microsoft quietly released a patch addressing the XSS security issues we reported. We only recently discovered that this patch had been deployed,” the researchers added.No CVE was assigned to this vulnerability. “Users with Live Preview installed should update to version 0.4.16 or later immediately,” the researchers suggested.Microsoft did not immediately respond to a request for comment.Taken together, the four flaws pointed to a broader problem with how developer tools are secured and maintained.
What security teams should do: “These vulnerabilities confirm that IDEs are the weakest link in an organization’s supply chain security,” the researchers at OX Security said in the advisory.Developer workstations routinely hold API keys, cloud credentials, database connection strings, and SSH keys. OX Security warned that a successful exfiltration from a single machine could give an attacker access to an organization’s broader infrastructure and that the risks extended to lateral movement and full system takeover.The researchers advised developers to disable extensions not actively in use and avoid browsing untrusted sites while localhost servers are running. They also cautioned against applying configuration snippets from unverified sources to VS Code’s global settings.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4133800/flaws-in-four-popular-vs-code-extensions-left-128-million-installs-open-to-attack.html
