Notices by Tom Sellers (tomsellers@infosec.exchange)

WAT

H.R.792 - To direct the Secretary of the Interior to arrange for the carving of the figure of President Donald J. Trump on Mount Rushmore National Memorial.

https://www.congress.gov/bill/119th-congress/house-bill/792

@Infoseepage That was my understanding as well. It appears that they have renamed and re-tasked the existing United States Digital Service

New US DOGE Service to have access to all unclassified US Gov records.

Reference: https://www.whitehouse.gov/presidential-actions/2025/01/establishing-and-implementing-the-presidents-department-of-government-efficiency/

Muscle memory is such a powerful thing when not trained away. Recently my wife and I took a trip that involved quite a bit of swimming. As a kid and teenager I enjoyed swimming but unfortunately I haven't done much of it in the last 30 years.

So, muscle memory.. On the recent trip, every time I surfaced from swimming underwater I would use my hands to slick back my hair to keep it, and water, out of my face. This is a very distinctive motion that actually starts just before I surface. Every time, without fail.

Reader, I haven't had hair, much less enough to need slicking back, in over 20 years. It made me laugh nearly every time I surfaced. It has been so long since I spent any time underwater that I had forgotten that I even did it. I chalk that up to rarely swimming now and being blind AF w/o glasses so I wouldn't swim underwater much when I did. It's probably been 10+ years since I did it for any significant time.

Anyway, muscle memory is a hell of a thing and so is being able to laugh at yourself.

@GossiTheDog It's also 6 years old. Seems I skimmed a bit too fast.

@GossiTheDog

Here is a Fortinet PDF for the Is my toothbrush really smart? presentation by Axelle Apvrille at Troopers in 2018. I suspect this information is what they are referencing in the article.

https://filestore.fortinet.com/fortiguard/research/toothbrush.pdf

In my earlier thread I should have recommended that folks be on the lookout for end of life(EoL) versions of Electron that are bundled with software that is itself updated to the latest version. I've observed a case where fully updated software was using Electron 22.x.x that isn't EoL yet, but will be in 2 weeks. In those cases I strongly suggest you notify your vendor and, if it is paid software, pressure them to migrate to a supported version ASAP.

Note: There IS a patched version of 22.x.x which is 22.3.24.

Reference: https://www.electronjs.org/docs/latest/tutorial/electron-timelines

#Security #Electron #SBOM #CVE20234863 #CVE-2023-4863 #CVE_2023_4863

The patched (fixed) versions of Electron are

Electron v22.3.24, v24.8.3, v25.8.1 - released September 13 and fixes CVE-2023-4863 as well as CVE-2023-4763, CVE-2023-4762, and CVE-2023-4761

Electron v26.2.1 - released September 13 and updates Chrome. Fixes the CVEs but does not call them out

Here are the fixed versions of some other common software:

GitHub Desktop v3.3.3 - bumps Electron to v24.8.3 which fixes CVE-2023-4863

VS Code 1.82.2 - bumps Electron to v25.8.1 which fixes CVE-2023-4863

Signal Desktop v6.30.2 - bumps Electron to v25.8.1 which fixes CVE-2023-4863

Slack v4.34.119 - bumps Electron to v26.2.1, indicates a security fix but doesn't label it with its highest risk label

Apple iOS 16.7, 17.0.1
Apple iPadOS 16.7, 17.0.1
Apple macOS Ventura 13.6
Apple macOS Monterey 12.7
Apple watchOS 9.6.3, 10.0.1
Apple Safari 16.6.1

Google Chrome 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows

Mozilla Firefox 117.0.1, ESR 102.15.1, ESR 115.2.1
Mozilla Thunderbird 102.15.1, 115.2.2

Edit: Added Electron v22.3.24 to the patched list. Thanks @delfuego

@mjgardner @dangoodin

I can confirm that a fresh install of Keybase on macoS is using Electron 22.1.0 which has not been patched and will go EoL on October 10. I find this very concerning from security software.

I can also confirm that a fresh install of Microsoft Teams on macOS is using Electron 19.1.8 which has not been patched and went EoL last November. A note that 19.1.9 is the last version of this train and includes at least two security fixes.

Roughly 2 weeks ago Google patched a critical vulnerability, CVE-2023-4863, that was being exploited in the wild. The broad impact of the root cause of the vuln and the fact that it will have a long tail of unpatched software has been poorly communicated. You can read more in @dangoodin 's excellent article on Ars Technica.

As pointed out in the article above, Electron is based on Chromium and is impacted. Electron is bundled in a ton of apps that people might overlook.

I threw together the following shell command to help macOS audit which versions of Electron apps are installed.

When run, you should see something similar to the following:

#Security #Electron #CVE20234863 #CVE-2023-4863