Microsoft has released the May 2020 update for its Python extension for Visual Studio Code (VS Code), its popular open-source, cross-platform code editor. Users should update the extension to address a critical flaw disclosed in yesterday's Patch Tuesday.
Microsoft has been building an arsenal of tools and educational resources for Python beginners and professional developers to accompany VS Code and capitalize on growing interest in the programming language thanks to the rise of data science and machine learning.
Microsoft is also lining up a new way for the Python extension to handle the process of selecting a Python interpreter by deprecating 'python.pythonPath' and removing it from 'settings.json' to improve things for developers who share VS Code workspace settings in a GitHub repository.
The goal is to improve the scenario for developers who share VS Code workspace settings between different operating systems.
However, for now, the changes are only being added gradually as part of an A/B testing experiment. Users can opt in to the experiment early by adding "python.experiments.optInto": ["DeprecatePythonPath - experiment"] to user settings.
But the update for the Microsoft Python extension also includes a patch for a critical flaw Microsoft disclosed in yesterday's Patch Tuesday batch of 111 security fixes.
The remote code execution bug, tracked as CVE-2020-1192, is exposed when Microsoft's VS Code Python extension loads workspace settings from a file from a notebook, such as Jupyter. An attacker who duped a user to open a specially crafted file in VS Code with the Python extension installed could run malware on the machine.
Microsoft's advisory says it fixed the issue by "modifying the way Visual Studio Code Python extension enforces user settings".
The VS Code team says, "Setting 'Data Science: Run Startup Commands' is now limited to being a User scope only setting."
"An attacker would need to convince a target to clone a repository and open it in Visual Studio Code with the Python extension installed. Attacker-specified code would execute when the target opened the integrated terminal," Microsoft said.
There's also a fix for issues affecting Python in VS Code when executing multiple cells in Notebook and Interactive Window using ipwidgets.