"Iftah ya Simsim": l-mochkil l-mantiqi li khlla l-plugins l-khabit-a d VS Code ydouzou mn l-muraqaba d Open VSX - صفحة 1

"Iftah ya Simsim": l-mochkil l-mantiqi li khlla l-plugins l-khabit-a d VS Code ydouzou mn l-muraqaba d Open VSX - صفحة 2

"Iftah ya Simsim": l-mochkil l-mantiqi li khlla l-plugins l-khabit-a d VS Code ydouzou mn l-muraqaba d Open VSX

28 مارس 2026

Software Security / DevSecOps

حمّل المانغا PDF اقرا الأصل

"Iftah ya Simsim": l-mochkil l-mantiqi li khlla l-plugins l-khabit-a d VS Code ydouzou mn l-muraqaba d Open VSX

TL;DR (khulasa)

Bahit-in ktachfou wahed l-fajwa amniya khatira mn naw3 "fail-open" f l-mustawda3 d Open VSX (Open VSX registry). B-sbab ghalat f l-mantiq (logic error) li khlla l-sistim mayfarraqch bin l-fachal d l-khidma d l-fahs (system failure) w-bin bila l-fahs daz b-najah, l-hacker-at kan ymkan lihom ydouzou l-mraqaba w-ynachrou koud khabit ghir b-ila darou deght 3la l-base de données d l-sistim. Had l-mochkil t-isllah daba.

L-amn dial silsilat tawrid l-brnamijyat (software supply chain) dima mtabet b-tisdaqiya d l-aswaq w-l-mustawda3at li kandirou fihom ttiqa. Mo'akhiran, bahit-in f l-amn l-siberrani kchfou 3la wahed l-fajwa kbira f Open VSX, li houwa badil mftouh l-masdar (open-source) l-Marketplace d Microsoft Visual Studio Code.

Had l-fajwa, li t-smmat b-smia d "Open Sesame" (Iftah ya Simsim), khllat extensions (plugins) li ymkan t-koun khabit-a tdouz mn l-muraqaba l-ijbariya, chi li khlla l-akaner-at dial qbel l-nachr maybqawch khddamin f chi halat khassa.

L-khata': Sou' fahm l-mantiq l-tounai (Binary Misinterpretation)

Had l-mochkil jany mn l-khit d l-intaj (pipeline) d l-fahs dial Open VSX li mktoub b-Java. F Febrayer 2026, l-mu'assasa d Eclipse (li msalfa b-Open VSX) dart had l-muraqaba bach t-harreb l-izdiya d l-plugins l-mchbouha. Walakin, l-bahit Oran Simhony mn Koi Security ktachef ghalat f tariqa bach l-sistim kityammel m3a dik l-halat dial l-khata' (error states).

Had l-pipeline kan kista3mel boolean return value (qima d true awla false) whda bach y-ygoul l-halat d l-fahs. L-mochkil? had l-qima l-wahida kanet kat-mettel jouj dial l-halat mt3aksin:

"Makaynach chi scanner m-configuri" (ya3ni l-extension mamnou-ach w-ymkan t-tncher tghya).
"Ga3 l-scanners fchlou bach y-khdmou" (ya3ni tari chi khata' f l-sistim).

"L-programme li kiy-3iyt 3la l-khidma ma-kanch kiy-3ref l-ferq," fach kt-fssr Simhony f l-taqrir dialo. "Dakchi 3lach mlli l-scanners kanou kiy-fchlou b-sbab l-deght (load), Open VSX kan kiy-t3amel m3aoom bhal ila 'ma-kayn may-t-skana' w-kiy-khlli l-extension tdouz nichan."

Kifach kanet waqa3 l-hama d "Open Sesame"

Li khlla had l-fajwa k-tkoun khatira b-l-khousous hiya l-basata dialha. Hit l-sistim t-smmem bach y-koun "fail-open" (ya3ni ila khet' l-amn kiy-thll l-bab), l-hacker ma-kanch khasso chi imtiyazat kbira bach y-staghellha.

T-sbbib f load 3la l-sistim: l-hacker li 3ndo hssab "publisher" fabour kan ymkan lih y-sift bzff d l-extensions .VSIX khabit-a l-wahd l-point d l-nachr.
Nifad l-mawarid (Resource Exhaustion): Had deght l-mtazamen kiy-khlli l-pool d l-connexion d l-base de données y-tsala (exhausted).
Fachal l-fahs: B-sbab had l-connextion li tsalat, l-khidma d l-fahs ma-k-tqdrch t-t-enregistra.
Al-t-jawouz (The Bypass): L-sistim kiy-fahm had l-fachal b-ghalat bhal ila "ma-kayn htta scanner m-configuri" w-kiy-t-atktiva l-extensions dik sa3a, bach y-kounou mwjoudin l-t-charjement l-nas li khddamin b-forks d VS Code bhal Cursor w Windsurf.

Li kiy-khle3 hiya tta l-khidma dial l-istirja3 (recovery service) li kan khas-ha t-3awd l-fahs li fchel, kan 3ndha nafss l-mochkil l-mantiqi, chi li kiy-khlli l-koud l-khabit y-nguez l-muraqaba kkamla.

L-islah w l-dourous f t-samim l-amni (Fail-Safe)

Had l-fajwa t-blghat l-mu'assasa d Eclipse f 8 Febrayer 2026, w t-slkhat f l-version 0.32.0 d Open VSX l-ch-hr l-fayet.

Had l-iktichaf kiy-fkkerna b-l-khatar dial t-samim "fail-open" f l-binya l-tehtiya l-hassasa. Koi Security kddat 3la an l-falsafa d l-pipeline kanet mzyana, walakin l-tatbiq dial l-qima (return value) rddat l-bab d l-amn k-t-t-cheqq.

Nasiha l-l-moubarmijin:

Khlli l-fachal y-koun wadh: Matsmhlch l-halat "ma-khdmna walou" t-charak nafss l-code d "l-khidma fchlat".
T-samim "Fail-Closed": F l-umur dial l-amn, ila l-scanner fchel b-sbab deght aw machakil t-qniya, l-qarar l-awali khas y-koun hiya l-3azl (quarantine) machi l-nachr.
Muraqaba d l-mawarid: l-pipelines l-mohimma khass y-koun 3ndhom himaya bach n-nafad d l-base de données aw l-memory ma-it-staghllch bach y-t-ngzou l-muraqaba.

Khulasa

W-kha l-mu'assasa d Eclipse dart khoutouwat bach t-ammen l-bi'a d Open VSX, l-mochkil d "Open Sesame" kiy-byn kifach ster wahid d koud fih l-ghoumoud ymkan y-hdem tabqa d l-amn kamla. M3a l-izdiyad d l-chou3biya d l-forks dial VS Code, l-mustawda3at li kiy-da3mouhom ghay-bqaw hadaf k-biir l-hacker-at li bghaw y-dkhlou l-bi'at d l-moubarmijin.

l-masdar (Source)

Article Title: Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks
URL: https://thehackernews.com/2026/03/open-vsx-bug-let-malicious-vs-code.html

"Iftah ya Simsim": l-mochkil l-mantiqi li khlla l-plugins l-khabit-a d VS Code ydouzou mn l-muraqaba d Open VSX

28 مارس 2026

Software Security / DevSecOps

حمّل المانغا PDF اقرا الأصل

"Iftah ya Simsim": l-mochkil l-mantiqi li khlla l-plugins l-khabit-a d VS Code ydouzou mn l-muraqaba d Open VSX

TL;DR (khulasa)

L-khata': Sou' fahm l-mantiq l-tounai (Binary Misinterpretation)

Had l-pipeline kan kista3mel boolean return value (qima d true awla false) whda bach y-ygoul l-halat d l-fahs. L-mochkil? had l-qima l-wahida kanet kat-mettel jouj dial l-halat mt3aksin:

"Makaynach chi scanner m-configuri" (ya3ni l-extension mamnou-ach w-ymkan t-tncher tghya).
"Ga3 l-scanners fchlou bach y-khdmou" (ya3ni tari chi khata' f l-sistim).

Kifach kanet waqa3 l-hama d "Open Sesame"

T-sbbib f load 3la l-sistim: l-hacker li 3ndo hssab "publisher" fabour kan ymkan lih y-sift bzff d l-extensions .VSIX khabit-a l-wahd l-point d l-nachr.
Nifad l-mawarid (Resource Exhaustion): Had deght l-mtazamen kiy-khlli l-pool d l-connexion d l-base de données y-tsala (exhausted).
Fachal l-fahs: B-sbab had l-connextion li tsalat, l-khidma d l-fahs ma-k-tqdrch t-t-enregistra.
Al-t-jawouz (The Bypass): L-sistim kiy-fahm had l-fachal b-ghalat bhal ila "ma-kayn htta scanner m-configuri" w-kiy-t-atktiva l-extensions dik sa3a, bach y-kounou mwjoudin l-t-charjement l-nas li khddamin b-forks d VS Code bhal Cursor w Windsurf.

L-islah w l-dourous f t-samim l-amni (Fail-Safe)

Had l-fajwa t-blghat l-mu'assasa d Eclipse f 8 Febrayer 2026, w t-slkhat f l-version 0.32.0 d Open VSX l-ch-hr l-fayet.

Nasiha l-l-moubarmijin:

Khlli l-fachal y-koun wadh: Matsmhlch l-halat "ma-khdmna walou" t-charak nafss l-code d "l-khidma fchlat".
T-samim "Fail-Closed": F l-umur dial l-amn, ila l-scanner fchel b-sbab deght aw machakil t-qniya, l-qarar l-awali khas y-koun hiya l-3azl (quarantine) machi l-nachr.
Muraqaba d l-mawarid: l-pipelines l-mohimma khass y-koun 3ndhom himaya bach n-nafad d l-base de données aw l-memory ma-it-staghllch bach y-t-ngzou l-muraqaba.

Khulasa

l-masdar (Source)

Article Title: Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks
URL: https://thehackernews.com/2026/03/open-vsx-bug-let-malicious-vs-code.html