Visual Studio VSIX Installer Validation Issues

The VSIX Installer of Visual Studio allows for revival of expired code-signing certificates and modification of timestamps.

MD5 | 0820db3baca073cc40bc281ba64f90f6


we have recently discovered a vulnerability in the VSIX Installer of Visual Studio. More specifically, the vulnerability existed in the validation of VSIX package signatures. This vulnerability allowed attackers

* to 'revive' expired code-signing certificates for VSIX package signatures and

* to maliciously modify timestamps when intercepting timestamp requests for VSIX package signatures.

For more details see here:

Best regards,

Related Posts