back to article Calls for Visual Studio security tweak fall on deaf ears despite one-click RCE exploit

Perceived weaknesses in the security of Microsoft's Visual Studio IDE are being raised once again this week with a fresh single-click exploit. Developed by Zhiniang Peng, principal security researcher and chief architect of security at Sangfor, the proof of concept (PoC) exploits the default implementation of the IDE's " …

  1. Richard 12 Silver badge

    Better idea

    All the files in .vs folders are explicitly designed to be generated and used locally, and never to be shared.

    So nuke 'em. If it's not been generated locally, VS should nuke the entire folder and start over.

    We're already used to having to wipe it from time to time anyway.

  2. jeff_w87

    Using anything from Microsoft is inherently "an insecure operation."

    1. Anonymous Coward
      Anonymous Coward

      Yes, but the sheer amount of fawning from devs over Visual Studio and Visual Studio Code has caused a lot of promising projects to either die or slow down dramatically.

      VSCode is a decent editor, but I just can't trust it...because it is Microsoft...and I know they have a deep love of implementing insane amounts of undocumented telemetry in their products. I'd trust them a lot more if they openly documented the telemetry *and* allowed me to view the telemetry...I just don't understand why telemetry has to be so "cloak and dagger" if there is nothing untoward going on...I therefore have to assume that Microsoft is over collecting and they don't want people to see what they are collecting...most likely because nobody would agree to it if given the option.

      Third party builds like VSCodium shouldn't have to exist.

      1. CowHorseFrog Silver badge

        Because choice is bad ?

        1. Anonymous Coward
          Anonymous Coward

          Choice is always good, but not when it is arbitrary...think of the time wasted by people maintaining a stripped back, telemetry free build of something that already exists...what else could they be working on?

          If VSCode had no tracking and telemetry bullshit shoehorned in, VSCodium wouldn't exist. It's a false choice.

  3. Pascal Monett Silver badge

    "Perceived" weaknesses ? Really ?

    From my point of view, those weaknesses are hardly a question of perception if they're already being exploited.

  4. Anonymous Coward
    Anonymous Coward

    Denial of Service

    When my Internet went down a few days ago, I discovered that Visual Studio requires a permanent connection to the Internet in order to resolve NuGet package references, otherwise building projects will hang when there is no connectivity.

    1. CowHorseFrog Silver badge

      Re: Denial of Service

      Congrats on using Microsoft(tm).

    2. Anonymous Coward
      Anonymous Coward

      Re: Denial of Service

      People still use NuGet?

      I suspect your problem is you have some sort of setting enabled that checks your depency tree at compile time. Back when I was young, had no decision making power and had to work under various .NET dev wankers, I had to use .NET and NuGet and I used to be able to edit / compile on a train with no internet...I really fucking hated working in .NET and Visual Studio...the only feature that I think attracts lots of devs is that VS.NET makes you look busier than you actually are because you constantly have to be clicking away at menus, showing and hiding debug panes etc etc...managing Visual Studio is a job in itself.

      Probably explains why a lot of .NET projects end up in the toilet or in a really shit state...too much time faffing with the sails, not enough time looking for rocks and reefs. Know what I mean?

  5. CowHorseFrog Silver badge

    Maybe Amazon will sue Microsoft for the One-Click thing.

  6. garwhale Bronze badge

    Microsoft gets hacked using Visual Studio exploit

    Sometime in the future

    Microsoft admitted that data including software signing private keys had been exfiltrated using a known Visual Studio RCE. Asked why they did not patch this, MS did not reply.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like