If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog make it the trifecta by dropping malware that abuses the vscode uninstaller -
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog winget install anthropic.ClaudeCode... it'll be fine, it's just userspace... Like a gazillion other things...
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog it is permanently trying to make you add extensions, and the whole "trust this directory" prompt mapping to "run any code in this external repo" feature seems designed to fund the north korean government.
It's reasonably lightweight, but I don't trust it any more as even if I only use it for text editing, it's too willing to run code from external sources
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog especially bad in light of rejecting the requests for cooldowns in the past https://github.com/microsoft/vscode/issues/79689
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
They recently added a feature to control what publishers are allowed
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog wonder if that’s why at my company they’ve had a crack down on VS code extensions. Now they have an allow list of extensions that can be installed and nothing else.
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog hell even opening a repo in vscode can cause code execution in multiple ways. It is basically impossible to use securely.
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog I remember your earlier writings on this subject and I have been extremely paranoid about the VSCode extensions I've put on my work-owned machine.
I've also switched away from VSCode-based editors on my personal machines, partially because of this and also because of all the other happy horseshit MS has been pulling.
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog @tymwol Something macros something something word documents
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog And this is why my work PC is locked down so tight I can't even make and run my own batch files, let alone anything .exe. The organisation actually practices the Essential Eight.
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog Also check if they are running Cursor (the AI thing). It's VSCode in disguise, uses the same plugins, can import all the settings, etc.
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog this is exactly why we delivered this session last year at #PSConfEU
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog One day, I might figure out why I'd ever want to install VSCode, but this is not that day. May it rot in hell for completely destroying search results between it and the real VS, both ways.
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog@cyberplace.social
"but it's for developers it's allowed to be insecure they surely know what they're doing and think perfectly rationally at all times!"
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog And the editor itself makes extensions necessary. Like want to highlight trailing white space (something that should be built into a code editor)? Nope, you need to install a random 3rd party extension!
-
Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.
I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.
@GossiTheDog I installed VSCodium yesterday for a project and @Sempf was nice enough to suggest looking at the extensions with the warning that the extensions were a bit of a wild west.
It was shockingly terrible! You can't find or use ANYTHING safely in that tool.
I haven't installed anything in yet because frankly, I don't trust it yet. I'd rather walk slowly and safe.
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog I realize that this is tangential, but the network is named CORPNET? Really? Are we in a cheap 1980s techno-thriller?
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
VS Code started to be a thing people used when I was at MS. A lot of folks were using the remote extensions for working in Azure VMs. I saw that there was an open issue about FreeBSD support, so I reached out to some of the folks responsible internally. The things I learned about how that worked made me back away slowly and be very happy I used vim.
-
@GossiTheDog I realize that this is tangential, but the network is named CORPNET? Really? Are we in a cheap 1980s techno-thriller?
@maccruiskeen that's the main AD domain, yep. Keep in mind MS is an 80s company
-
RE: https://hachyderm.io/@ChrisShort/116606591908387955
If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.
The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.
Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.
VSCode is an absolute security shittip as a result.
@GossiTheDog One of the top 10 extensions, with 73 million downloads, looks like its owned by a single dev on his personal github account.
I wonder how many fishing attempts he gets per day.
