CVE-2020-0884: Microsoft Visual Studio Spoofing Vulnerability

Overview

Severity

N/A

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Mar

Released

2020-03-10

EPSS Score

1.64% (percentile: 81.9%)

Description

A spoofing vulnerability exists in Microsoft Visual Studio as it includes a reply URL that is not secured by SSL. An attacker who successfully exploited this vulnerability could compromise the access tokens, exposing security and privacy risks. To exploit this vulnerability, an attacker would need to monitor the network traffic between a client machine and server while the end user is developing an Outlook Web Add-in, and the client also has two-factor authentication enabled in Outlook. The update addresses the vulnerability by securing the reply URL with HTTPS.

Affected Products (3)

Developer Tools

• Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
• Microsoft Visual Studio 2019 version 16.0
• Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)

Security Updates (1)

• Release Notes

Acknowledgments

Microsoft Corporation

Revision History

• 2020-03-10: Information published.