An elevation of privilege vulnerability exists in VS Code 1.66.1 and earlier versions on Windows if VS Code is installed in a custom location that is writable by other users on the system. The VS Code installer did not configure in any way the file system permissions for the VS Code installation directory, so the parent folder permissions would be inherited.
Patches
The fix is available starting with VS Code 1.66.2. The fix consists of 3 patches (7a9093a, c2beae1, c20b68a) and mitigates this attack by explicitly setting the permissions of the VS Code installation directory to limit write access to the current user and to system administrators.
Workarounds
If you have installed VS Code in a location which is writable by other users on your system, you can manually configure permissions on the VS Code installation directory to remove write access for other users on the same system.
References
An elevation of privilege vulnerability exists in VS Code 1.66.1 and earlier versions on Windows if VS Code is installed in a custom location that is writable by other users on the system. The VS Code installer did not configure in any way the file system permissions for the VS Code installation directory, so the parent folder permissions would be inherited.
Patches
The fix is available starting with VS Code 1.66.2. The fix consists of 3 patches (7a9093a, c2beae1, c20b68a) and mitigates this attack by explicitly setting the permissions of the VS Code installation directory to limit write access to the current user and to system administrators.
Workarounds
If you have installed VS Code in a location which is writable by other users on your system, you can manually configure permissions on the VS Code installation directory to remove write access for other users on the same system.
References