New Vulnerability in Visual Studio

Saturday, October 17, 2020, 23:20 GMT

CCVE-2020-17023 | Visual Studio JSON Remote Code Execution Vulnerability

When a user is fooled into opening a malicious ‘package.json’ file, aka ‘Visual Studio JSON Remote Code Execution Vulnerability’, a remote code execution vulnerability occurs in Visual Studio Code.

In Visual Studio Code, a remote code execution flaw occurs when a user is fooled into opening a malicious ‘package.json’ file. An attacker who exploited the vulnerability successfully could execute arbitrary code in the current user’s context. An attacker may take control of the affected device if the current user is logged in with administrative user privileges. An intruder may then install programs; access, alter, or remove data; or build full user-rights new accounts.

An attacker will need to persuade a target to clone a repository and open it in Visual Studio Code to exploit this vulnerability. When the target opens the malicious ‘package.json’ file, the attacker-specified code is executed.

Through changing the way Visual Studio Code treats JSON files, the fix fixes the vulnerability.