Roughly 2 weeks ago Google patched a critical vulnerability, CVE-2023-4863, that was being exploited in the wild. The broad impact of the root cause of the vuln and the fact that it will have a long tail of unpatched software has been poorly communicated. You can read more in @dangoodin 's excellent article on Ars Technica.
As pointed out in the article above, Electron is based on Chromium and is impacted. Electron is bundled in a ton of apps that people might overlook.
I threw together the following shell command to help macOS audit which versions of Electron apps are installed.
find /Applications -type f -name "*Electron Framework*" -exec <br></br> sh -c "echo "{}" && strings "{}" | grep '^Chrome/[0-9.]* Electron/[0-9]' | head -n1 && echo " ;<br></br>
When run, you should see something similar to the following:
/Applications/Visual Studio Code.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework<br></br>Chrome/114.0.5735.289 Electron/25.8.1<br></br><br></br>/Applications/Slack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework<br></br>Chrome/116.0.5845.188 Electron/26.2.1<br></br>
find /Applications -type f -name 'Electron Framework' -exec \
perl -Mversion=0.77 -nE \
'@safe = map version->parse($), qw(22.3.24 24.8.3 25.8.1 26.2.1);
next unless m{Chrome/[0-9.]+ Electron/([0-9.]+)}; $ver = version->parse($1);
if ($ver < (grep int $->numify >= int $ver->numify, @safe)[0]) {
say "vulnerable Electron $ver found in $ARGV"; next
}' {} ;
Like a lot of #JavaScript apps, Electron iterates versions really fast. #SemanticVersioning is not a guide to the chronological age of software, only its compatibility with other software.
I can confirm that a fresh install of Keybase on macoS is using 22.1.0 which has not been patched and will go EoL on October 10. I find this very concerning from security software.
I can also confirm that a fresh install of Microsoft Teams on macOS is using Electron 19.1.8 which has not been patched and went EoL last November.
@TomSellers@mjgardner@dangoodin The Teams one is insane. Microsoft happily distributes their premiere communications platform atop a version of Electron that EOLed a year ago; if our agency adhered to its own rules, we would have to remove it from every single device until MS released a new version built atop a currently-supported framework.
I see that Microsoft also uses Electron 19.1.8 in #Skype! (Seems like there might be a vector to attack that, somehow, since one can send messages to another user?) #VisualStudioCode is vulnerable with 22.3.14
Contrary to what I see in the release notes, my updated #Obsidian is on 25.8.0 (not .1) #RStudio has 25.5.0
In my earlier thread I should have recommended that folks be on the lookout for end of life(EoL) versions of Electron that are bundled with software that is itself updated to the latest version. I've observed a case where fully updated software was using Electron 22.x.x that isn't EoL yet, but will be in 2 weeks. In those cases I strongly suggest you notify your vendor and, if it is paid software, pressure them to migrate to a supported version ASAP.
Note: There IS a patched version of 22.x.x which is 22.3.24.
@dangoodin Thanks. I included that version in the post linked below based on my reading of the Slack release notes for macOS. It's good to have it officially confirmed and to know it covers Windows too.
Add comment