Researchers released PoC for RCE (CVE-2022-41034) in Visual Studio Code

A proof-of-concept (PoC) exploit related to a remote code execution vulnerability affecting Visual Studio Code and patched by Microsoft in October was published online.

” An attacker could, through a link or website, take over the computer of a Visual Studio Code user and any computers they were connected to via the Visual Studio Code Remote Development feature. This issue affected at least GitHub Codespaces, github.dev, the web-based Visual Studio Code for Web and to a lesser extent Visual Studio Code desktop,” a researcher from Google said.

Identified as CVE-2022-41034, the security flaw could grant remote attackers full control of vulnerable systems. Visual Studio Code combines the simplicity of a code editor with what developers need for their core edit-build-debug cycle. It provides comprehensive code editing, navigation, and understanding support along with lightweight debugging, a rich extensibility model, and lightweight integration with existing tools.

As a proof-of-concept (PoC) demonstration, the researchers showed it was possible to exploit CVE-2022-41034 to execute arbitrary code on the system from a developer who is running Visual Studio Code.

A Jypiter Notebook is a type of rich text document supported out of the box by Visual Studio Code. Used primarily in data science, it is made up of multiple segments of Python code, Markdown, HTML and other formats. The Python code is run on the viewer machine to generate diagrams. Because running potentially foreign or malicious code is dangerous, a Jypiter notebook normally starts in untrusted mode and the user is shown a dialog to confirm trust. When the document is trusted most security restrictions are bypassed,” the researcher wrote.

The researcher has published extensive technical details, including a PoC exploit for CVE-2022-41034, so it is important to address the vulnerabilities as soon as possible.

Although the flaw in Visual Studio Code has since been addressed, the findings are important in light of a series of security incidents that show how developers have emerged as lucrative attack targets.