Post AaA7XYx0nHfF7W5eLI by delfuego@me.dm
(DIR) More posts by delfuego@me.dm
(DIR) Post #AaA7XXM6j0YAAlofBI by TomSellers@infosec.exchange
2023-09-25T14:49:33Z
0 likes, 0 repeats
Roughly 2 weeks ago Google patched a critical vulnerability, CVE-2023-4863, that was being exploited in the wild. The broad impact of the root cause of the vuln and the fact that it will have a long tail of unpatched software has been poorly communicated. You can read more in @dangoodin 's excellent article on Ars Technica.As pointed out in the article above, Electron is based on Chromium and is impacted. Electron is bundled in a ton of apps that people might overlook.I threw together the following shell command to help macOS audit which versions of Electron apps are installed.find /Applications -type f -name "*Electron Framework*" -exec \ sh -c "echo \"{}\" && strings \"{}\" | grep '^Chrome/[0-9.]* Electron/[0-9]' | head -n1 && echo " \;When run, you should see something similar to the following:/Applications/Visual Studio Code.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron FrameworkChrome/114.0.5735.289 Electron/25.8.1/Applications/Slack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron FrameworkChrome/116.0.5845.188 Electron/26.2.1#Security #Electron #CVE20234863 #CVE-2023-4863
(DIR) Post #AaA7XYIbDXL16BBNLs by TomSellers@infosec.exchange
2023-09-25T14:52:54Z
0 likes, 0 repeats
The patched (fixed) versions of Electron areElectron v22.3.24, v24.8.3, v25.8.1 - released September 13 and fixes CVE-2023-4863 as well as CVE-2023-4763, CVE-2023-4762, and CVE-2023-4761Electron v26.2.1 - released September 13 and updates Chrome. Fixes the CVEs but does not call them outHere are the fixed versions of some other common software:GitHub Desktop v3.3.3 - bumps Electron to v24.8.3 which fixes CVE-2023-4863VS Code 1.82.2 - bumps Electron to v25.8.1 which fixes CVE-2023-4863Signal Desktop v6.30.2 - bumps Electron to v25.8.1 which fixes CVE-2023-4863Slack v4.34.119 - bumps Electron to v26.2.1, indicates a security fix but doesn't label it with its highest risk labelApple iOS 16.7, 17.0.1Apple iPadOS 16.7, 17.0.1Apple macOS Ventura 13.6Apple macOS Monterey 12.7Apple watchOS 9.6.3, 10.0.1Apple Safari 16.6.1Google Chrome 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for WindowsMozilla Firefox 117.0.1, ESR 102.15.1, ESR 115.2.1Mozilla Thunderbird 102.15.1, 115.2.2Edit: Added Electron v22.3.24 to the patched list. Thanks @delfuego
(DIR) Post #AaA7XYx0nHfF7W5eLI by delfuego@me.dm
2023-09-25T15:49:06Z
0 likes, 0 repeats
@TomSellers Note that Electron patched this back to v22 and forward to v26 and v27 (in beta), not just v24 and v25; the fixed versions are:22.3.24, 24.8.3, 25.8.1, 26.2.1, 27.0.0-beta.2https://security.snyk.io/vuln/SNYK-JS-ELECTRON-5892810
(DIR) Post #AaA7XZduDnyXGY9uCW by mjgardner@social.sdf.org
2023-09-25T17:17:52Z
0 likes, 0 repeats
@delfuego @TomSellers @electronjs Expanded to check against all #libwebp-patched #Electron versions:find /Applications -type f -name '*Electron Framework*' -exec \perl -Mversion=0.77 -nE \'@safe = map version->parse($_), qw(22.3.24 24.8.3 25.8.1 26.2.1);next unless m{Chrome/[0-9.]+ Electron/([0-9.]+)}; $ver = version->parse($1);if ($ver < (grep int $_->numify >= int $ver->numify, @safe)[0]) {say "vulnerable Electron $ver found in $ARGV"; next}' {} \;
(DIR) Post #AaA7XZm3jUUtfpyPuS by TomSellers@infosec.exchange
2023-09-25T23:47:45Z
1 likes, 0 repeats
In my earlier thread I should have recommended that folks be on the lookout for end of life(EoL) versions of Electron that are bundled with software that is itself updated to the latest version. I've observed a case where fully updated software was using Electron 22.x.x that isn't EoL yet, but will be in 2 weeks. In those cases I strongly suggest you notify your vendor and, if it is paid software, pressure them to migrate to a supported version ASAP.Note: There IS a patched version of 22.x.x which is 22.3.24.Reference: https://www.electronjs.org/docs/latest/tutorial/electron-timelines#Security #Electron #SBOM #CVE20234863 #CVE-2023-4863 #CVE_2023_4863
(DIR) Post #AaA7XaQpHv6hiH2yS8 by mjgardner@social.sdf.org
2023-09-26T00:18:34Z
1 likes, 0 repeats
@delfuego @TomSellers @electronjs After using the above command and pulling down any available updates, I still have the following vulnerable #Electron-based apps on my #Mac:#AdGuard for #Safari (Electron v18.3.15)#HTTPie (21.2.0)#Jabra Direct (16.2.2)#Keybase (22.1.0)#Logitech Logi Options+ (23.1.1)#Logseq (24.6.3)#Postman (18.3.5) @getpostman#Rancher Desktop (20.3.8)#Microsoft Teams (19.1.8)#WhatsApp (13.6.9)
(DIR) Post #AaA7Xb4ssz9LiVmxtI by mjgardner@social.sdf.org
2023-09-25T17:19:20Z
0 likes, 0 repeats
@delfuego @TomSellers (I am not checking betas because WTF are you doing installing #Electron apps with beta Electron?)
(DIR) Post #AaA7Xb8Qfnz9tVRnPs by mjgardner@social.sdf.org
2023-09-26T00:32:42Z
0 likes, 0 repeats
@delfuego @TomSellers @electronjs @getpostman Some of those numbers are deceptively lower than the current supported #Electron releases: https://www.electronjs.org/docs/latest/tutorial/electron-timelinesBut they all include Electron versions released in the past 18 months.Like a lot of #JavaScript apps, Electron iterates versions *really* fast. #SemanticVersioning is *not* a guide to the chronological age of software, only its compatibility with *other* software.
(DIR) Post #AaA7XcLw94Ntfgm66q by TomSellers@infosec.exchange
2023-09-26T11:28:46Z
2 likes, 1 repeats
@mjgardner @dangoodin I can confirm that a fresh install of Keybase on macoS is using Electron 22.1.0 which has not been patched and will go EoL on October 10. I find this very concerning from security software.I can also confirm that a fresh install of Microsoft Teams on macOS is using Electron 19.1.8 which has not been patched and went EoL last November. A note that 19.1.9 is the last version of this train and includes at least two security fixes.