Microsoft patches Zero-day in Python extension for Visual Studio Code (VS Code); update now


Microsoft has patched Python extension for Visual Studio Code (VS Code) for two critical security flaws, adds new features

If you are into Python programming, you must be familiar with the Python Extension for Visual Studio Code (VS Code). The VS Code Extention is a very popular open-source, cross-platform code editor. But right now, it is vulnerable to two zero-day flaws and allows a potential hacker to run malware on your computer/laptop.

Since Microsoft is in that mood of releasing updates, it has also updated the Python Extension for Visual Studio Code (VS Code). The new update has not only patched the two security flaws but also brings enhancements to the extension. You can download the updated Microsoft VS Code from here.

The updated version includes a patch for a critical flaw disclosed yesterday by Microsoft. One of the flaws is the remote code execution bug identified as CVE-2020-1192. The flaw is exposed when Microsoft’s VS Code Python extension loads workspace settings from a file from a notebook, such as Jupyter. A potential hacker can open a specially crafted file in VS Code with the Python extension and run malware on the machine. Upon running the malware, the hacker could remotely take over the PC/laptop. Microsoft says it fixed the issue by “modifying the way Visual Studio Code Python extension enforces user settings”.

The updated Python extension now limits setting ‘Data Science: Run Startup Commands.’

A second security flaw disclosed yesterday affects the Visual Studio Code when the Python extension loads configuration files after opening a project. “An attacker would need to convince a target to clone a repository and open it in Visual Studio Code with the Python extension installed. Attacker-specified code would execute when the target opened the integrated terminal,” Microsoft blog says.

There’s also a fix for issues affecting Python in VS Code when executing multiple cells in Notebook and Interactive Window using ipwidgets.

New features in Python Extension for VS Code

The updated Python extension now makes easier for users to select or change a Python interpreter path in a file system. There’s also an option to manually enter a file path in VS Code. The update also changes the way for Python extension to handle the process of selecting a Python interpreter by deprecating ‘python.pythonPath’ and removing it from ‘settings.json’ to improve things for developers who share VS Code workspace settings in a GitHub repository.

IF you use Python Extension for Visual Studio Code, you should update your extension now from here.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments