PSA: a recently-fixed image parsing vulnerability in Chrome (and things that use Chrome, such as Electron apps) is being actively exploited in the wild. install your updates!
PSA: a recently-fixed image parsing vulnerability in Chrome (and things that use Chrome, such as Electron apps) is being actively exploited in the wild. install your updates!
Chrome was updated September 11
Matrix Element Desktop updated September 15, without a changelog or advisory. (The Element update on September 13 did not include the updated electron with the fix; today's update does, according to their announcement on Matrix.)
Many/most electron apps don't receive timely security updates, so if you don't want arbitrary images to be able to get code execution you might want to stop using them.
Electron apps are such a joke, honestly.
VS Code is an awesome electron app
I love vs code but electron causes issues: https://github.com/microsoft/vscode/issues/10121
On ArchLinux, many Electron apps use a central installation of Electron that is kept up to date by the package manager. That works pretty well.
Of course, snap-based distributions like Ubuntu and other systems without a proper package manager like macOS and Windows can’t do it like that.
And Firefox and Thunderbird as well. Updates for everything are available.
More reason I wish devs would stop using Electron and stick to PWAs. Then you only have to update a single browser.
I keep hearing "exploited in the wild", but does anyone have anything concrete on it — like, IoCs, PoC, victims ... anything?
Guess it's time to finally retire Bromite
Have you tried Cromite? Its forked from Bromite by one of the original developers, except kept up to date and actively maintained, plus improved constantly, etc.