A security researcher has publicly disclosed a critical zero-day vulnerability in Visual Studio Code (VS Code) — accompanied by a working exploit — within hours of privately notifying a contact at GitHub, the Microsoft-owned code hosting platform, citing a deep loss of trust in Microsoft's vulnerability disclosure process.
One-Click RCE
The flaw, discovered by researcher Ammar Askar, enables remote code execution through what is described as a one-click attack vector: a victim merely needs to click a malicious link for an attacker to gain code execution on their machine. Given VS Code's status as one of the most widely used code editors in the world — with tens of millions of active users across professional development teams, open-source communities, and educational institutions — the potential attack surface is enormous.
According to a report published by Security Affairs, Askar's decision to release a full exploit almost immediately after initial notification represents a significant departure from the standard responsible disclosure workflow, where researchers typically give vendors weeks or months to develop and distribute a patch before making technical details public.
Broken Relationship
The move appears to stem from Askar's accumulated frustration with how Microsoft has handled his previous vulnerability reports. While the specifics of those prior disputes were not detailed exhaustively, the researcher's willingness to forgo the usual grace period suggests a pattern of dissatisfaction with the company's responsiveness and communication around security issues.
This is not the first time Microsoft has faced criticism over its security disclosure practices. The company has periodically drawn scrutiny from the research community for delays in patching reported vulnerabilities, disagreements over severity ratings, and communication lapses that leave researchers feeling unheard. When trust between a vendor and the researcher community breaks down, the result is often exactly this kind of accelerated public disclosure — which, while understandable from the researcher's perspective, shifts risk onto end users.
Implications for the Developer Ecosystem
The incident raises pressing questions about the security of tools that developers interact with every day. IDEs and code editors like VS Code have evolved into complex platforms with extensive plugin ecosystems, built-in terminals, and network-connected features — each representing a potential entry point that expands their attack surface beyond what many users might assume from a text editor.
Security teams that focus exclusively on production environments while granting developers unrestricted access to editor extensions and link-handling features may be leaving gaps that attackers can exploit. Development organisations should consider treating developer tooling as part of their broader attack surface and hardening local development environments — restricting automatic link-opening, vetting extensions, and monitoring for unusual process activity — with the same rigour applied to production infrastructure.
The broader lesson is twofold. First, vendors must maintain credible, respectful relationships with the researchers who find and report flaws in their products. When that relationship deteriorates, the entire user base pays the price. Second, the absence of coordinated disclosure timelines puts every user at risk the moment exploit code becomes public.
As of publication, Microsoft has not issued an official patch or advisory addressing the specific vulnerability Askar disclosed. Users are advised to exercise caution when clicking links from untrusted sources while working in VS Code until a fix is available.
一名安全研究員在私下通知 GitHub(微軟旗下的程式碼託管平台)的一位聯絡人後數小時內,便公開披露了 Visual Studio Code (VS Code) 中一個嚴重的零日漏洞,並附帶了可運作的攻擊代碼,理由是對微軟的漏洞披露流程深感信任危機。
一鍵 RCE
該漏洞由研究員 Ammar Askar 發現,可透過一種被稱為「一鍵攻擊向量」的方式實現遙距執行代碼:受害者只需點擊一個惡意連結,攻擊者即可在其機器上執行代碼。鑑於 VS Code 作為全球使用最廣泛的程式碼編輯器之一,在專業開發團隊、開源社群及教育機構中擁有數千萬活躍用戶,其潛在的攻擊面極為龐大。
據 Security Affairs 發布的一份報告指出,Askar 幾乎在最初通知後便立即發布完整攻擊代碼的決定,與標準的負責任披露工作流程有顯著偏離。在標準流程中,研究員通常會給予供應商數週或數月的時間來開發和分發修補程式,然後才會將技術細節公開。
信任破裂
此舉似乎源於 Askar 對微軟處理其先前漏洞報告方式累積的挫折感。雖然先前這些爭議的具體細節未被詳盡說明,但這位研究員願意放棄通常的寬限期,暗示了對公司就安全問題的回應能力和溝通方式存在一種不滿的模式。
這並非微軟首次因安全披露實踐而受到批評。該公司因其在修補已報告漏洞方面的延遲、對嚴重性等級的分歧,以及導致研究員感覺未被重視的溝通失誤,而間歇性地受到研究界的審視。當供應商與研究員社群之間的信任破裂時,結果往往正是這種加速的公開披露——雖然從研究員的角度可以理解,但卻將風險轉嫁給了最終用戶。
對開發者生態系統的影響
此事件引發了對開發者日常互動工具安全性的迫切疑問。像 VS Code 這樣的整合開發環境和程式碼編輯器,已發展成擁有廣泛外掛生態系統、內置終端機及網絡連接功能的複雜平台——每項功能都代表一個潛在的入口點,將其攻擊面擴展至超出許多用戶對「文字編輯器」的設想。
僅專注於生產環境,卻允許開發者不受限制地存取編輯器擴展功能和連結處理功能的安全團隊,可能正在留下攻擊者可加以利用的缺口。開發組織應考慮將開發工具視為其更廣泛攻擊面的一部分,並以應用於生產基礎設施的同等嚴謹態度來加強本地開發環境的安全性——限制自動開啟連結、審查擴展功能,並監控異常的程序活動。
更廣泛的教訓是雙重的。首先,供應商必須與那些在其產品中發現並報告漏洞的研究員維持可信、相互尊重的關係。當這種關係惡化時,整個用戶群都將付出代價。其次,缺乏協調的披露時間表,意味著攻擊代碼一旦公開,所有用戶都會面臨風險。
截至發稿時,微軟尚未發布針對 Askar 所披露特定漏洞的官方修補程式或安全公告。建議用戶在 VS Code 中工作時,對於點擊來自不受信任來源的連結應保持謹慎,直到修補程式發布為止。