By rssfeeds-admin 
The flaw, designated as CVE-2025-53773, allows malicious actors to manipulate the AI assistant into modifying critical configuration files, effectively compromising entire development environments.
The vulnerability stems from GitHub Copilot’s ability to create and write files in workspaces without requiring user approval, with changes persisting immediately to disk rather than being presented as reviewable diffs.
This design flaw creates a dangerous attack vector where prompt injections can escalate privileges and execute arbitrary code on target systems.
YOLO Mode Exploitation Mechanism
The core of the attack involves manipulating Copilot into enabling what researchers term “YOLO mode” by modifying the .vscode/settings.json file.
The exploit chain begins when attackers plant prompt injection payloads in source code files, web pages, GitHub issues, or other content that developers might interact with through Copilot.
The malicious prompt instructs Copilot to add the critical configuration line "chat.tools.autoApprove": true to the settings file, which immediately disables all user confirmations for the AI assistant.
Once this experimental feature is activated, attackers gain the ability to execute shell commands, browse the web, and perform other privileged operations without user intervention.
The vulnerability affects all major operating systems, including Windows, macOS, and Linux, making it particularly concerning for development teams across diverse environments.
Attack Scenarios and ZombAI Networks
The implications of this vulnerability extend far beyond simple code execution, with researchers demonstrating the potential for creating “ZombAI” networks where compromised developer machines join botnets.
The attack enables the download and execution of malware, connection to remote command and control servers, and the creation of AI viruses that can propagate through infected Git repositories.
Attackers can embed malicious instructions using invisible Unicode characters to avoid detection, though this technique proves less reliable than visible prompt injections.
The vulnerability also allows modification of other critical configuration files, like .vscode/tasks.json and the addition of malicious MCP servers further expands the attack surface.
Microsoft has addressed this vulnerability in its August 2024 Patch Tuesday release following responsible disclosure by security researchers.
The fix prevents unauthorized modification of security-critical configuration files, requiring explicit user approval for such changes.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Windows RDS Flaw Lets Hackers Trigger Network-Based Denial of Service appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.