Programming language Python VS Code extension: New update has critical security fix

Microsoft updates its Python extension for VS Code with fixes for two security flaws and easier interpreter selection.
Written by Liam Tung, Contributing Writer

Microsoft has released the May 2020 update for its Python extension for Visual Studio Code (VS Code), its popular open-source, cross-platform code editor. Users should update the extension to address a critical flaw disclosed in yesterday's Patch Tuesday.  

On the heels of the VS Code 1.45 release this week with more GitHub integrations, Microsoft's VS Code team has released a new version of the Microsoft Python extension for VS Code, by far its most popular extension in the Microsoft Visual Studio Marketplace with over 19 million installs.   

Microsoft has been building an arsenal of tools and educational resources for Python beginners and professional developers to accompany VS Code and capitalize on growing interest in the programming language thanks to the rise of data science and machine learning. 

SEE: How to build a successful developer career (free PDF)

These resources include new tutorials in VS Code aimed at professionals and free YouTube courses that help budding Python developers use Azure. And last week it released a second batch of Python video courses for beginners.     

The main update in the new Python extension for VS Code is that it's easier to select or change a Python interpreter path in a file system. There's also an option to manually enter a file path in VS Code. 

Microsoft is also lining up a new way for the Python extension to handle the process of selecting a Python interpreter by deprecating 'python.pythonPath' and removing it from 'settings.json' to improve things for developers who share VS Code workspace settings in a GitHub repository.

The goal is to improve the scenario for developers who share VS Code workspace settings between different operating systems. 

However, for now, the changes are only being added gradually as part of an A/B testing experiment. Users can opt in to the experiment early by adding "python.experiments.optInto": ["DeprecatePythonPath - experiment"] to user settings.  

But the update for the Microsoft Python extension also includes a patch for a critical flaw Microsoft disclosed in yesterday's Patch Tuesday batch of 111 security fixes

The remote code execution bug, tracked as CVE-2020-1192, is exposed when Microsoft's VS Code Python extension loads workspace settings from a file from a notebook, such as Jupyter. An attacker who duped a user to open a specially crafted file in VS Code with the Python extension installed could run malware on the machine.  

Microsoft's advisory says it fixed the issue by "modifying the way Visual Studio Code Python extension enforces user settings". 

The VS Code team says, "Setting 'Data Science: Run Startup Commands' is now limited to being a User scope only setting."

SEE: Developers say Google's Go is 'most sought after' programming language of 2020

A second security flaw disclosed yesterday affects Visual Studio Code when the Python extension loads configuration files after opening a project.

"An attacker would need to convince a target to clone a repository and open it in Visual Studio Code with the Python extension installed. Attacker-specified code would execute when the target opened the integrated terminal," Microsoft said. 

There's also a fix for issues affecting Python in VS Code when executing multiple cells in Notebook and Interactive Window using ipwidgets. 

The latest version of the Python extension for VS Code brings the option of browsing for a Python interpreter in the file system.  

Image: Microsoft

More on Microsoft's Visual Studio Code

  • Microsoft's VS Code 1.45 is out: GitHub integration plus JavaScript debugger update
  • Microsoft: Bosque is a new programming language built for AI in the cloud  
  • Microsoft's VS Code Python programming language extension gets this new update  
  • Microsoft: Try VS Code's new Python, C++ programming language tutorials, Docker updates  
  • Microsoft makes new GitHub collaboration tools available to testers  
  • Programming languages: Python and Java VS Code extensions get these new updates  
  • VS Code gets a big update: Plays nice with macOS Gatekeeper plus lots of new features  
  • Microsoft: VS Code for PowerShell 7 arrives with ISE mode  
  • New Microsoft VS Code browser editor update – better Go, Python language, Docker support  
  • Microsoft's VS Code Python programming language extension gets this new update  
  • Microsoft VS Code 1.42 is out: New debug tools for TypeScript, JavaScript, Chrome  
  • ServiceNow reveals VS Code alternative to its own web-based code editor  
  • Microsoft boosts programming language Python's popular VS Code extension  
  • Programming language Python's popular extension for Visual Studio Code revamped  
  • Facebook: Microsoft's Visual Studio Code is now our default development platform
  • Microsoft: We want you to learn Python programming language for free
  • JPMorgan's Athena has 35 million lines of Python code, and won't be updated to Python 3 in time TechRepublic
  • Mozilla's radical open-source move helped rewrite rules of tech CNET
  • Editorial standards