Conversation

Notices

Embed this notice
Tom Sellers (tomsellers@infosec.exchange)'s status on Tuesday, 26-Sep-2023 11:43:51 JST Tom Sellers
- Dan Goodin
Roughly 2 weeks ago Google patched a critical vulnerability, CVE-2023-4863, that was being exploited in the wild. The broad impact of the root cause of the vuln and the fact that it will have a long tail of unpatched software has been poorly communicated. You can read more in @dangoodin 's excellent article on Ars Technica.
As pointed out in the article above, Electron is based on Chromium and is impacted. Electron is bundled in a ton of apps that people might overlook.
I threw together the following shell command to help macOS audit which versions of Electron apps are installed.
find /Applications -type f -name "*Electron Framework*" -exec \
sh -c "echo \"{}\" && strings \"{}\" | grep '^Chrome/[0-9.]* Electron/[0-9]' | head -n1 && echo " \;
When run, you should see something similar to the following:
/Applications/Visual Studio Code.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework
Chrome/114.0.5735.289 Electron/25.8.1

/Applications/Slack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework
Chrome/116.0.5845.188 Electron/26.2.1
#Security #Electron #CVE20234863 #CVE-2023-4863
In conversation Tuesday, 26-Sep-2023 11:43:51 JST from infosec.exchange permalink
Attachments
1. Untitled attachment
- Embed this notice
  Tom Sellers (tomsellers@infosec.exchange)'s status on Tuesday, 26-Sep-2023 23:55:07 JST Tom Sellers
  in reply to
  - Mark Gardner
  - Dan Goodin
  @mjgardner @dangoodin
  I can confirm that a fresh install of Keybase on macoS is using Electron 22.1.0 which has not been patched and will go EoL on October 10. I find this very concerning from security software.
  I can also confirm that a fresh install of Microsoft Teams on macOS is using Electron 19.1.8 which has not been patched and went EoL last November. A note that 19.1.9 is the last version of this train and includes at least two security fixes.
  
  In conversation Tuesday, 26-Sep-2023 23:55:07 JST permalink
  
  Haelwenn /элвэн/ :triskell: likes this.
- Embed this notice
  Mark Gardner (mjgardner@social.sdf.org)'s status on Tuesday, 26-Sep-2023 23:55:08 JST Mark Gardner
  in reply to
  @delfuego @TomSellers @electronjs @getpostman Some of those numbers are deceptively lower than the current supported #Electron releases: https://www.electronjs.org/docs/latest/tutorial/electron-timelines
  But they all include Electron versions released in the past 18 months.
  Like a lot of #JavaScript apps, Electron iterates versions *really* fast. #SemanticVersioning is *not* a guide to the chronological age of software, only its compatibility with *other* software.
  In conversation Tuesday, 26-Sep-2023 23:55:08 JST permalink
  Attachments
  1. No result found on File_thumbnail lookup.
    
    Electron Releases | Electron
    
    Electron frequently releases major versions alongside every other Chromium release. This document focuses on the release cadence and version support policy. For a more in-depth guide on our git branches and how Electron uses semantic versions, check out our Electron Versioning doc.
  Haelwenn /элвэн/ :triskell: repeated this.
- Embed this notice
  Mark Gardner (mjgardner@social.sdf.org)'s status on Tuesday, 26-Sep-2023 23:55:09 JST Mark Gardner
  in reply to
  - Electron
  - Jason Levine
  @delfuego @TomSellers @electronjs Expanded to check against all #libwebp-patched #Electron versions:
  find /Applications -type f -name '*Electron Framework*' -exec \
  perl -Mversion=0.77 -nE \
  '@safe = map version->parse($_), qw(22.3.24 24.8.3 25.8.1 26.2.1);
  next unless m{Chrome/[0-9.]+ Electron/([0-9.]+)}; $ver = version->parse($1);
  if ($ver < (grep int $_->numify >= int $ver->numify, @safe)[0]) {
  say "vulnerable Electron $ver found in $ARGV"; next
  }' {} \;
  
  In conversation Tuesday, 26-Sep-2023 23:55:09 JST permalink
- Embed this notice
  Mark Gardner (mjgardner@social.sdf.org)'s status on Tuesday, 26-Sep-2023 23:55:09 JST Mark Gardner
  in reply to
  @delfuego @TomSellers @electronjs After using the above command and pulling down any available updates, I still have the following vulnerable #Electron-based apps on my #Mac:
  #AdGuard for #Safari (Electron v18.3.15)
  #HTTPie (21.2.0)
  #Jabra Direct (16.2.2)
  #Keybase (22.1.0)
  #Logitech Logi Options+ (23.1.1)
  #Logseq (24.6.3)
  #Postman (18.3.5) @getpostman
  #Rancher Desktop (20.3.8)
  #Microsoft Teams (19.1.8)
  #WhatsApp (13.6.9)
  
  In conversation Tuesday, 26-Sep-2023 23:55:09 JST permalink
  
  Haelwenn /элвэн/ :triskell: likes this.
- Embed this notice
  Jason Levine (delfuego@me.dm)'s status on Tuesday, 26-Sep-2023 23:55:11 JST Jason Levine
  in reply to
  
  @TomSellers Note that Electron patched this back to v22 and forward to v26 and v27 (in beta), not just v24 and v25; the fixed versions are:
  22.3.24, 24.8.3, 25.8.1, 26.2.1, 27.0.0-beta.2
  https://security.snyk.io/vuln/SNYK-JS-ELECTRON-5892810
  
  In conversation Tuesday, 26-Sep-2023 23:55:11 JST permalink
- Embed this notice
  Tom Sellers (tomsellers@infosec.exchange)'s status on Tuesday, 26-Sep-2023 23:55:12 JST Tom Sellers
  in reply to
  - Jason Levine
  The patched (fixed) versions of Electron are
  Electron v22.3.24, v24.8.3, v25.8.1 - released September 13 and fixes CVE-2023-4863 as well as CVE-2023-4763, CVE-2023-4762, and CVE-2023-4761
  Electron v26.2.1 - released September 13 and updates Chrome. Fixes the CVEs but does not call them out
  Here are the fixed versions of some other common software:
  GitHub Desktop v3.3.3 - bumps Electron to v24.8.3 which fixes CVE-2023-4863
  VS Code 1.82.2 - bumps Electron to v25.8.1 which fixes CVE-2023-4863
  Signal Desktop v6.30.2 - bumps Electron to v25.8.1 which fixes CVE-2023-4863
  Slack v4.34.119 - bumps Electron to v26.2.1, indicates a security fix but doesn't label it with its highest risk label
  Apple iOS 16.7, 17.0.1
  Apple iPadOS 16.7, 17.0.1
  Apple macOS Ventura 13.6
  Apple macOS Monterey 12.7
  Apple watchOS 9.6.3, 10.0.1
  Apple Safari 16.6.1
  Google Chrome 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows
  Mozilla Firefox 117.0.1, ESR 102.15.1, ESR 115.2.1
  Mozilla Thunderbird 102.15.1, 115.2.2
  Edit: Added Electron v22.3.24 to the patched list. Thanks @delfuego
  
  In conversation Tuesday, 26-Sep-2023 23:55:12 JST permalink
- Embed this notice
  Tom Sellers (tomsellers@infosec.exchange)'s status on Tuesday, 26-Sep-2023 23:56:11 JST Tom Sellers
  in reply to
  
  In my earlier thread I should have recommended that folks be on the lookout for end of life(EoL) versions of Electron that are bundled with software that is itself updated to the latest version. I've observed a case where fully updated software was using Electron 22.x.x that isn't EoL yet, but will be in 2 weeks. In those cases I strongly suggest you notify your vendor and, if it is paid software, pressure them to migrate to a supported version ASAP.
  Note: There IS a patched version of 22.x.x which is 22.3.24.
  Reference: https://www.electronjs.org/docs/latest/tutorial/electron-timelines
  #Security #Electron #SBOM #CVE20234863 #CVE-2023-4863 #CVE_2023_4863
  In conversation Tuesday, 26-Sep-2023 23:56:11 JST permalink
  Attachments
  1. Screenshot of the Electron software end-of-life table. Of particular interest is that 23.0.0. is already EoL and 22.0.0 will go EoL on October 10, 2023.
    https://media.infosec.exchange/infosecmediaeu/media_attachments/files/111/128/421/161/251/171/original/e4d6a179a4883e8d.png
  2. No result found on File_thumbnail lookup.
    
    Electron Releases | Electron
    
    Electron frequently releases major versions alongside every other Chromium release. This document focuses on the release cadence and version support policy. For a more in-depth guide on our git branches and how Electron uses semantic versions, check out our Electron Versioning doc.
  Haelwenn /элвэн/ :triskell: likes this.

Public

Conversation

Notices

Feeds