BEGIN:VCALENDAR
VERSION:2.0
PRODID:Data::ICal 0.24
BEGIN:VEVENT
DESCRIPTION:   'Title: Visual Studio Code is why I have (Workspace) Trust i
 ssues\n   When: Friday\, Aug 11\, 16:00 - 16:45 PDT\n   Where: Caesars For
 um - Forum - 109-119\, 138-139 - Track 2 - [1]Map\n   Speakers:Paul Gerste
 \,Thomas Chauchefoin\n\n   SpeakerBio:Paul Gerste \, Vulnerability Researc
 her at Sonar\n   Paul Gerste (@pspaul95) is a Vulnerability Research in th
 e Sonar R&D\n   team. In the last months\, he has been hunting bugs in pop
 ular\n   JavaScript and TypeScript applications\, yielding critical\n   vu
 lnerabilities in projects such as Rocket.Chat\, NodeBB\, and Blitz.js.\n  
  Paul has also been a CTF player and organizer for some years and loves\n 
   to hack all web-related things.\n   Twitter: [2]@pspaul95\n\n   SpeakerB
 io:Thomas Chauchefoin \, Vulnerability Researcher at Sonar\n   Thomas Chau
 chefoin (@swapgs) is a Vulnerability Researcher in the\n   Sonar R&D team.
  With a strong background in offensive security\, he\n   helps uncover and
  responsibly disclose 0-days in major open-source\n   software. He also pa
 rticipated in competitions like Pwn2Own or\n   Hack-a-Sat and was nominate
 d for two Pwnies Awards for his research on\n   PHP supply chain security.
 \n\n   Description:\n   Developers are threat actors' targets of choice be
 cause of their\n   access to business-critical services. After compromisin
 g a single\n   developer\, they could push code changes or obtain sensitiv
 e\n   information. For instance\, a recent campaign attributed to North Ko
 rea\n   set up social network profiles to social engineer and infect promi
 nent\n   figures of the developer community with malicious Visual Studio\n
    projects and browser exploits.\n\n   At the same time\, modern developm
 ent tools offer increasingly advanced\n   features and deep integration wi
 th ecosystems\, sometimes at the cost\n   of basic security measures. Code
  editors tried to counterbalance it by\n   introducing new lines of defens
 e (e.g.\, "Workspace Trust")\, leading to\n   a cat-and-mouse game to rest
 rict access while keeping most features\n   available by default.\n\n   In
  this talk\, we present the state of the art of Visual Studio Code's\n   s
 ecurity. We go in-depth into its attack surface\, how its extensions\n   w
 ork\, and the technical details of two vulnerabilities we found in\n   Vis
 ual Studio Code. These findings\, CVE-2021-43891 and CVE-2022-30129\,\n   
 led to a $30.000 bounty with an unexpected twist. We also present\n   1-da
 ys discovered by other researchers to develop the audience's\n   intuition
 . These concepts apply to most IDEs of the market so\n   everybody will no
 w think twice before opening third-party code!\n\n   REFERENCES:\n   [3]ht
 tps://blog.electrovolt.io/posts/vscode-rce/ [4]https://www.sonarsource.com
 /blog/securing-developer-tools-git-integrations/\n   [5]https://www.sonars
 ource.com/blog/securing-developer-tools-argument-injection-in-vscode/\n   
 [6]https://blog.doyensec.com/2022/10/27/jupytervscode.html [7]https://iwan
 tmore.pizza/posts/cve-2019-1414.html\n   [8]https://github.com/justinsteve
 n/advisories/blob/master/2017_visual_studio_code_workspace_settings_code_e
 xecution.md\n   [9]https://github.com/doyensec/VSCode_PoC_Oct2019 [10]http
 s://github.com/microsoft/vscode/issues/107951\n   [11]https://www.youtube.
 com/watch?v=Olq6XnZ4Pwo [12]https://github.com/google/security-research/se
 curity/advisories/GHSA-pw56-c55x-cm9m\n\n   '\n\n   1. #CaesarsForumBR\n  
  2. https://twitter.com/pspaul95\n   3. https://blog.electrovolt.io/posts/
 vscode-rce/\n   4. https://www.sonarsource.com/blog/securing-developer-too
 ls-git-integrations/\n   5. https://www.sonarsource.com/blog/securing-deve
 loper-tools-argument-injection-in-vscode/\n   6. https://blog.doyensec.com
 /2022/10/27/jupytervscode.html\n   7. https://iwantmore.pizza/posts/cve-20
 19-1414.html\n   8. https://github.com/justinsteven/advisories/blob/master
 /2017_visual_studio_code_workspace_settings_code_execution.md\n   9. https
 ://github.com/doyensec/VSCode_PoC_Oct2019\n   10. https://github.com/micro
 soft/vscode/issues/107951\n   11. https://www.youtube.com/watch?v=Olq6XnZ4
 Pwo\n   12. https://github.com/google/security-research/security/advisorie
 s/GHSA-pw56-c55x-cm9m\n\n\n
DTEND:20230811T234500Z
DTSTART:20230811T230000Z
LOCATION:DC - Caesars Forum - Forum - 109-119\, 138-139 - Track 2
SUMMARY:Visual Studio Code is why I have (Workspace) Trust issues
END:VEVENT
END:VCALENDAR