Comment by Gigachad

2 hours ago

The problem extends far beyond VS code. All extensions and executable code has the same problem. There was a case where Disney was hacked because an employee installed a BeamNG mod that had bundled malware.

A company that wants to remain secure would have to employ strict restrictions on installing software. Only installing npm packages and plugins from an internal preapproved repo for example.

3 comments

Gigachad

miki123211 16 minutes ago

Running code isn't the problem. The fact that (almost) all code runs at the same security level is.

You regularly run tons of untrusted code when visiting websites. That code can't wreak havoc on your machine because it's well-sandboxed. Yet, if we advocate for sandboxing in more places, the "gun nuts of tech" scream about monopolistic practices and taking away user control.

charlieyu1 1 hour ago

I don’t understand why we don’t just sandbox everything. We have done it for web browsers, we can definitely do it for VSCode extensions.

inlined 30 minutes ago

What are you withholding from the sandbox without making it useless?