Looks like Microsoft has released patches against CVE-2023-4863 and CVE-2023-5217 vulnerabilities for Microsoft Edge, Teams and Skype. The patches revolve around the vulnerable the libvpx & libwebp open source libraries used by these products. Update now!
Microsoft says they've patched #Teams, among others, for #CVE_2023_4863 and #CVE_2023_5217, but that doesn't track with their published Update History. Or at least, it's unclear how the patch was applied. I guess not with a patched Electron version!
I've updated the #CVE_2023_4863 Google Sheet to allow anyone to comment (gulp). That way, if you know of a version that is missing or has changed, you can take action!
But this seclists thread seems to say that CVE-2023-5129 is associated with libwebp commits that are different from the fixes associated with CVE-2023-4863 [Edit: but these are described by the issuer as cleanups]:
The seclists poster is reaching out to double-check whether it's new. Solar Designer's assessment is that it's probably the same (but that the cleanups in the code should be examined anyway):
Roughly 2 weeks ago Google patched a critical vulnerability, CVE-2023-4863, that was being exploited in the wild. The broad impact of the root cause of the vuln and the fact that it will have a long tail of unpatched software has been poorly communicated. You can read more in @dangoodin 's excellent article on Ars Technica.
As pointed out in the article above, Electron is based on Chromium and is impacted. Electron is bundled in a ton of apps that people might overlook.
I threw together the following shell command to help macOS audit which versions of Electron apps are installed.
find /Applications -type f -name "*Electron Framework*" -exec <br></br> sh -c "echo "{}" && strings "{}" | grep '^Chrome/[0-9.]* Electron/[0-9]' | head -n1 && echo " ;<br></br>
When run, you should see something similar to the following:
/Applications/Visual Studio Code.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework<br></br>Chrome/114.0.5735.289 Electron/25.8.1<br></br><br></br>/Applications/Slack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework<br></br>Chrome/116.0.5845.188 Electron/26.2.1<br></br>
In my earlier thread I should have recommended that folks be on the lookout for end of life(EoL) versions of Electron that are bundled with software that is itself updated to the latest version. I've observed a case where fully updated software was using Electron 22.x.x that isn't EoL yet, but will be in 2 weeks. In those cases I strongly suggest you notify your vendor and, if it is paid software, pressure them to migrate to a supported version ASAP.
Note: There IS a patched version of 22.x.x which is 22.3.24.