Programming language Python VS Code extension: New update has critical security fix

Microsoft has released the May 2020 update for its Python extension for Visual Studio Code (VS Code), its popular open-source, cross-platform code editor. Users should update the extension to address a critical flaw disclosed in yesterday's Patch Tuesday.  

On the heels of the VS Code 1.45 release this week with more GitHub integrations, Microsoft's VS Code team has released a new version of the Microsoft Python extension for VS Code, by far its most popular extension in the Microsoft Visual Studio Marketplace with over 19 million installs.   

Microsoft has been building an arsenal of tools and educational resources for Python beginners and professional developers to accompany VS Code and capitalize on growing interest in the programming language thanks to the rise of data science and machine learning. 

SEE: How to build a successful developer career (free PDF)

These resources include new tutorials in VS Code aimed at professionals and free YouTube courses that help budding Python developers use Azure. And last week it released a second batch of Python video courses for beginners.     

The main update in the new Python extension for VS Code is that it's easier to select or change a Python interpreter path in a file system. There's also an option to manually enter a file path in VS Code. 

Microsoft is also lining up a new way for the Python extension to handle the process of selecting a Python interpreter by deprecating 'python.pythonPath' and removing it from 'settings.json' to improve things for developers who share VS Code workspace settings in a GitHub repository.

The goal is to improve the scenario for developers who share VS Code workspace settings between different operating systems. 

However, for now, the changes are only being added gradually as part of an A/B testing experiment. Users can opt in to the experiment early by adding "python.experiments.optInto": ["DeprecatePythonPath - experiment"] to user settings.  

But the update for the Microsoft Python extension also includes a patch for a critical flaw Microsoft disclosed in yesterday's Patch Tuesday batch of 111 security fixes. 

The remote code execution bug, tracked as CVE-2020-1192, is exposed when Microsoft's VS Code Python extension loads workspace settings from a file from a notebook, such as Jupyter. An attacker who duped a user to open a specially crafted file in VS Code with the Python extension installed could run malware on the machine.  

Microsoft's advisory says it fixed the issue by "modifying the way Visual Studio Code Python extension enforces user settings". 

The VS Code team says, "Setting 'Data Science: Run Startup Commands' is now limited to being a User scope only setting."

SEE: Developers say Google's Go is 'most sought after' programming language of 2020

A second security flaw disclosed yesterday affects Visual Studio Code when the Python extension loads configuration files after opening a project.

"An attacker would need to convince a target to clone a repository and open it in Visual Studio Code with the Python extension installed. Attacker-specified code would execute when the target opened the integrated terminal," Microsoft said. 

There's also a fix for issues affecting Python in VS Code when executing multiple cells in Notebook and Interactive Window using ipwidgets. 

More on Microsoft's Visual Studio Code