fsebugoutzone.org:9999

       Posts by TomSellers@infosec.exchange
 (DIR) Post #AaA7XXM6j0YAAlofBI by TomSellers@infosec.exchange
       2023-09-25T14:49:33Z
       
       0 likes, 0 repeats
       
       Roughly 2 weeks ago Google patched a critical vulnerability,  CVE-2023-4863, that was being exploited in the wild. The broad impact of the root cause of the vuln and the fact that it will have a long tail of unpatched software has been  poorly communicated. You can read more in @dangoodin &#39;s excellent article on Ars Technica.As pointed out in the article above, Electron is based on Chromium and is impacted. Electron is bundled in a ton of apps that people might overlook.I threw together the following shell command to help macOS audit which versions of Electron apps are installed.find /Applications -type f -name &quot;*Electron Framework*&quot; -exec \  sh -c &quot;echo  \&quot;{}\&quot; &amp;&amp; strings \&quot;{}\&quot; | grep &#39;^Chrome/[0-9.]* Electron/[0-9]&#39; | head -n1 &amp;&amp; echo &quot; \;When run, you should see something similar to the following:/Applications/Visual Studio Code.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron FrameworkChrome/114.0.5735.289 Electron/25.8.1/Applications/Slack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron FrameworkChrome/116.0.5845.188 Electron/26.2.1#Security #Electron #CVE20234863  #CVE-2023-4863
       
 (DIR) Post #AaA7XYIbDXL16BBNLs by TomSellers@infosec.exchange
       2023-09-25T14:52:54Z
       
       0 likes, 0 repeats
       
       The patched (fixed) versions of Electron areElectron v22.3.24, v24.8.3, v25.8.1 - released September 13 and fixes CVE-2023-4863 as well as CVE-2023-4763, CVE-2023-4762, and CVE-2023-4761Electron v26.2.1          - released September 13 and updates Chrome. Fixes the CVEs but does not call them outHere are the fixed versions of some other common software:GitHub Desktop v3.3.3  - bumps Electron to v24.8.3 which fixes CVE-2023-4863VS Code 1.82.2         - bumps Electron to v25.8.1 which fixes CVE-2023-4863Signal Desktop v6.30.2 - bumps Electron to v25.8.1 which fixes CVE-2023-4863Slack v4.34.119        - bumps Electron to v26.2.1, indicates a security fix but doesn&#39;t label it with its highest risk labelApple iOS    16.7, 17.0.1Apple iPadOS 16.7, 17.0.1Apple macOS Ventura 13.6Apple macOS Monterey 12.7Apple watchOS 9.6.3, 10.0.1Apple Safari 16.6.1Google Chrome 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for WindowsMozilla Firefox 117.0.1, ESR 102.15.1, ESR 115.2.1Mozilla Thunderbird 102.15.1, 115.2.2Edit: Added Electron v22.3.24 to the patched list. Thanks @delfuego
       
 (DIR) Post #AaA7XZm3jUUtfpyPuS by TomSellers@infosec.exchange
       2023-09-25T23:47:45Z
       
       1 likes, 0 repeats
       
       In my earlier thread I should have recommended that folks be on the lookout for end of life(EoL) versions of Electron that are bundled with software that is itself updated to the latest version. I&#39;ve observed a case where fully updated software was using Electron 22.x.x that isn&#39;t EoL yet, but will be  in 2 weeks. In those cases I strongly suggest you notify your vendor and, if it is paid software, pressure them to migrate to a supported version ASAP.Note: There IS a patched version of 22.x.x which is 22.3.24.Reference: https://www.electronjs.org/docs/latest/tutorial/electron-timelines#Security #Electron #SBOM #CVE20234863 #CVE-2023-4863 #CVE_2023_4863
       
 (DIR) Post #AaA7XcLw94Ntfgm66q by TomSellers@infosec.exchange
       2023-09-26T11:28:46Z
       
       2 likes, 1 repeats
       
       @mjgardner @dangoodin I can confirm that a fresh install of Keybase on macoS is using Electron 22.1.0 which has not been patched and will go EoL on October 10. I find this very concerning from security software.I can also confirm that a fresh install of Microsoft Teams on macOS is using Electron 19.1.8 which has not been patched and went EoL last November. A note that 19.1.9 is the last version of this train and includes at least two security fixes.
       
 (DIR) Post #Aajkq3tHOMmMoCuFQu by TomSellers@infosec.exchange
       2023-10-13T15:58:21Z
       
       0 likes, 1 repeats
       
       Nice, someone registered &#39;ngithub [dot] com` and in some cases redirecting users to scam / malware sites. So, if you click on a stack trace message that included a new line..something\ngithub.com\YourAccount\YourRep\blah.. and Slack or something else converted that to a link you&#39;re likely to end up there.#Security #Malware
       
 (DIR) Post #AcFeWrx2v237Qb29Eu by TomSellers@infosec.exchange
       2023-11-28T01:59:38Z
       
       1 likes, 0 repeats
       
       @mttaggart I could have sworn that @TechConnectify had a great video showing CO2 readings when cooking w/ gas vs electric. My google-fu is currently failing me atm though and I can&#39;t find it.I see some CO2 references in the following video but I thought there was another that was more focused on the topic.https://www.youtube.com/watch?v=eUywI8YGy0Y
       
 (DIR) Post #AyoWxzpMcIFXHRxiee by TomSellers@infosec.exchange
       2025-10-02T21:46:58Z
       
       0 likes, 1 repeats
       
       I was just filling out some medical forms online and noticed some interesting options in the Preferred Language drop down.