Microsoft has patched a Remote Code Execution vulnerability in Visual Studio which could be exploited by creating a code repository – such as for a popular open source tool – and convincing a developer to clone and open it.
The vulnerability (CVE-2020-17023) exists in the handling of the ‘package.json’ file and can be exploited to run arbitrary code in the context of the current user on the system.
Modern software development makes extensive use of third party and open source libraries which are incorporated into in-house developed systems and commercial products. Attackers who exploited this vulnerability could insert their own code into your software or establish a network beachhead on a developer’s computer and use that as a launch point into your network.
Security aware software development managers can protect their code from supply chain attacks by educating developers to validate the source and trustworthiness of third party libraries before importing them into their software projects.