Roughly 2 weeks ago Google patched a critical vulnerability, CVE-2023-4863, that was being exploited in the wild. The broad impact of the root cause of the vuln and the fact that it will have a long tail of unpatched software has been poorly communicated. You can read more in @dangoodin 's excellent article on Ars Technica.
As pointed out in the article above, Electron is based on Chromium and is impacted. Electron is bundled in a ton of apps that people might overlook.
I threw together the following shell command to help macOS audit which versions of Electron apps are installed.
find /Applications -type f -name "*Electron Framework*" -exec <br></br> sh -c "echo "{}" && strings "{}" | grep '^Chrome/[0-9.]* Electron/[0-9]' | head -n1 && echo " ;<br></br>
When run, you should see something similar to the following:
/Applications/Visual Studio Code.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework<br></br>Chrome/114.0.5735.289 Electron/25.8.1<br></br><br></br>/Applications/Slack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework<br></br>Chrome/116.0.5845.188 Electron/26.2.1<br></br>
I see that Microsoft also uses Electron 19.1.8 in #Skype! (Seems like there might be a vector to attack that, somehow, since one can send messages to another user?) #VisualStudioCode is vulnerable with 22.3.14
Contrary to what I see in the release notes, my updated #Obsidian is on 25.8.0 (not .1) #RStudio has 25.5.0
a client made by an enterprise who will willingly backdoor your messages
a client made by 3 people that get random breaking changes that completely obliterate flow
a client that is one giant html5 canvas that uses 100% of your browser gpu power
a client that requires systemd
way too many abandoned android and ios clients
please use fedi we have:
an instance software which is so popular but so feature deprived it makes no sense why it exists, also it's trademarked in a bad way
an instance software that has so much code rot it spawned 500 forks to try and fix it only to become rotten themselves
an instance software that doesn't really know what it's doing and instead implemented 3 different api standards, and this is the fork i'm talking about. no one should talk about the upstream project.
Was reminded recently that Discord has taken nearly $1 billion in VC cash: https://tracxn.com/d/companies/discord/__5rlLgsamoGCjo5gATenpy383J_jyBToAQkMl2B_f99w
No judgment if you've already built a community there, but everyone really needs to treat it as a ticking time bomb. It's already failed its users many times over; it's just a question of when those failures will escalate beyond even the most indifferent user's tolerance. Every community deserves better. Good alternatives are a survival imperative.
@Jgmeadows Having #Skype and other #Microsoft apps keep getting reinstalled after I specifically removed them was what caused me to ditch #Windows11 for good. All of the #PC games I play work in #Linux without issue. Had to use a few app alternatives, but overall super glad to not be on Windows anymore.
oh don’t worry, discord won’t shut down. it will just gradually enshittify more and more as it keeps trying to make more money as the vc funds dry up, eventually being bought by a large corporation looking to sell the user data for a nice profit.
then once it gets bad enough, another centralized, proprietary platform will pop up that promises to be slightly better than discord (at least, better than discord after its gradual decline), people will move to it in droves, and the cycle will start all over again
discord will continue to stick around for a couple more years after that, until the company that bought it decides it’s not worth running anymore and unceremoniously shuts it down, destroying over a decade worth of people’s memories in the process
New from 404 Media: hackers can grab your IP address through Skype by just sending a link. Target doesn't even need to click it.
I know because researcher did it to me. Sent me a link, then pasted my IP in the chat.
“Damn, RIP 💀,” I wrote in response.
And Microsoft is in no rush to fix. Company only said it would fix eventually after 404 Media contacted for comment. To fund more impact journalism, subscribe to 404 Media in the buttons in the article.
Ich finde das digitale Leben ziemlich anstrengend.
Aktuell erhalte ich regelmäßig Zoom-Links für Besprechungen zur zweit oder zu dritt per #Videokonferenz
Ich finde es lästig, dann immer mitzuteilen, dass ich #Zoom nicht benutzen möchte.
Wenn ich mit anderen darüber spreche, kommt oft die Behauptung, dass die freien Alternativen nicht richtig funktionieren (was ich bei einer so geringen Teilnehmerzahl nun wirklich nachvollziehen kann).
Wie kann ich mit solchen Situationen besser umgehen, ohne ständig dass Gefühl zu haben, mich dafür rechtfertigen zu müssen?
@sluecking Je nachdem, wie polemisch die Begründung sein darf, kannst du entweder auf die #BigBrotherAwards-Laudatio <https://bigbrotherawards.de/2023/zoom> verweisen oder auf die dort ganz unten als Quelle verlinkte Untersuchung des Bundeskartellamts in Zusammenarbeit mit dem @bsi:
Diese Untersuchung beschäftigt sich außer mit #Zoom auch mit anderem Murks wie z.B. #Cisco#WebEx und MS #Skype und #Teams. Wer sie genau liest, wird zu dem Schluss kommen, dass diese Produkte in der EU nicht legal einsetzbar sind. Die Studie empfiehlt quelloffene Lösungen wie #BigBlueButton und #JitsiMeet. /c
Looks like Microsoft has released patches against CVE-2023-4863 and CVE-2023-5217 vulnerabilities for Microsoft Edge, Teams and Skype. The patches revolve around the vulnerable the libvpx & libwebp open source libraries used by these products. Update now!
As someone who doesn’t like #ai, #microsoft getting #openai for free is amazing! They’ll mismanage that company into the ground just like they do for all their acquisitions. Enjoy the same rockstar treatment #skype and #github got.
When you use #skype or #zoom, does the video traffic go through their servers, or does it only go between the two devices that are communicating via video chat?
“Hackers are able to grab a target’s IP address, potentially revealing their general physical location, by simply sending a link over the #Skype mobile app. The target does not need to click the link or otherwise interact with the hacker beyond opening the message, according to a security researcher who demonstrated the issue and successfully discovered my IP address by using it.”
#Cybersecurity#Hacking#Skype#Microsoft: "Hackers are able to grab a target’s IP address, potentially revealing their general physical location, by simply sending a link over the Skype mobile app. The target does not need to click the link or otherwise interact with the hacker beyond opening the message, according to a security researcher who demonstrated the issue and successfully discovered my IP address by using it.
Yossi, the independent security researcher who uncovered the vulnerability, reported the issue to Microsoft earlier this month, according to Yossi and a cache of emails and bug reports he shared with 404 Media. In those emails Microsoft said the issue does not require immediate servicing, and gave no indication that it plans to fix the security hole. Only after 404 Media contacted Microsoft for comment did the company say it would patch the issue in an upcoming update."
I mean, why it may not be a "security vulnerability" in Microsoft's eyes, it's still not generally great practice to just let IP addresses just be exposed to everybody.
"Opa hat was ganz Komisches erzählt. Früher war #Instagram dick und schwer und aus Papier. #Handys waren gross wie ein Koffer und in Glaskabinen auf der Strasse festgeschraubt. Zum #Skypen ohne Bild musste man #Bitcoins aus Metall einwerfen, und dann konnte man damit nicht mal googeln."
Signed in to #Skype on mobile for the first time in ages. It apparently has some kind of “today” feed full of news. Of all the features nobody asked for and nobody wanted. Anyways, what were the first two items in “my” feed? #Trump and #Musk. Then an Ad. Then sports, #FoxNews, and then Russia using a new weapon in the war. Amazing.