Oleh Diposting pada

Early this year I gave you five reasons to avoid desktop versions of messengers. The fact that many such applications use the Electron framework is one of them. This means that such a messenger works as an additional browser in your system, and its updates are quite difficult to control.

But, as I wrote in that post, it has become clear the problem is much more widespread — affecting not only messengers but hundreds of other apps as well. Chances are, because of Electron-based apps, you have a many more browsers than you think in your system this very minute…

What is Electron, and why do application developers want to use it?

Electron is a cross-platform desktop application development framework that employs web technologies — mostly HTML, CSS, and JavaScript. It was originally created by GitHub for its source code editor Atom (hence its original name — Atom Shell). Later on the framework was renamed Electron, ultimately evolving into an extremely popular tool used to create desktop applications for various operating systems, including Windows, macOS, and Linux.

Electron framework official site

Main page of the Electron framework official site. Source

Electron itself is based on the Chromium browser engine, which is responsible for displaying web content within a desktop application. So any Electron application is effectively a single website opened in the Chromium browser.

Users usually have no idea at all how the thing works. From their point of view, an Electron application is just another program you install, run in the usual way, give access to some files, occasionally update to the newest version, and so on.

Why has Electron grown so popular with developers? The idea is mainly this: no matter what digital service one might want to create, a web version is still needed. And the Electron framework allows you to develop just the web version and, based on it, produce full-fledged apps for all the desktop operating systems out there.

Electron’s other convenience features include making installation packages, their diagnostics, publication to app stores, and automatic updates.

Mullvad VPN uses the Electron framework, too

Et tu autem, Brute! You can find Electron in apps you least expect to

Summing up, the Electron framework is popular among developers — most particularly as it allows to greatly accelerate and simplify the application development process for all desktop operating systems in one go.

Issues with Electron-based applications

Electron-based applications have a number of drawbacks. The most obvious from the users’ perspective is their sluggishness. Electron-based software is usually resource-intensive and suffers from excessive file size. No wonder: each such app carries its whole home on its back like a snail a full-blown Chromium browser. In effect, it operates through that browser — serving as a sort of intermedium.

Next issue: web browsers are a favorite target of cybercriminals. It’s worth repeating: inside every Electron-based app there’s a separate instance of the Chromium web browser. This means your system may have a dozen additional browsers installed, all of which present a tempting target for criminals.

New, serious vulnerabilities pop up almost weekly in a popular browser like Chrome/Chromium: so far this year more than 70 high, and three critical severity-level vulnerabilities have been found in Chromium as of the time of writing. Worse yet, exploits for the world’s most popular browser’s vulnerabilities appear really quick. This means that a good part of Chrome/Chromium holes are not just abstract bugs you treat as a matter of routine — they’re vulnerabilities that can be used for attacks by cybercriminals out in the wild.

List of Chrome/Chromium vulnerabilities found in the first eight months of 2023

Even in fine print, Chromium vulnerabilities found so far in 2023 take up several screens. Source

For the standalone Chrome browser, this isn’t such a serious problem. Google is very quick to release patches and rather persistent in convincing users to install them and restart their browser (it even thoughtfully re-opens all their precious tabs after restarting so they don’t need to fear updating).

Things are very different for the Electron-based apps. A Chromium browser built into such an app will only get patched if the app’s vendor has released a new version and successfully communicated to users the need to install it.

So it appears that, with a bunch of installed Electron apps, not only do you have multiple browsers installed on your system, but also little to no control over how updated and secure those browsers are, or how many unpatched vulnerabilities they contain.

The framework’s creators know full well about the problem, and strongly recommend that app developers release patches on time. Alas, users can only hope that those recommendations are followed.

And here’s a fresh example: On September 11, Google fixed the CVE-2023-4863 vulnerability in Google Chrome. At that point, it was already actively exploited in the wild. It allows a remote attacker to perform an out of bounds memory write via a crafted HTML page, which can lead to the execution of arbitrary code. Of course, this bug is present in Chromium and all Electron-based applications. So, all companies using it in their applications will have to work on updates.

Which desktop applications are based on Electron?

Not many folks seem to know how incredibly common Electron-based desktop applications are. I’ll bet you are using more than one of them. Check them out yourself:

  • 1Password
  • Agora Flat
  • Asana
  • Discord
  • Figma
  • GitHub Desktop
  • Hyper
  • Loom
  • Microsoft Teams
  • Notion
  • Obsidian
  • Polyplane
  • Postman
  • Signal
  • Skype
  • Slack
  • Splice
  • Tidal
  • Trello
  • Twitch
  • Visual Studio Code
  • WhatsApp
  • WordPress Desktop

I personally use around a third of the apps from the list (but, for the record, none of them as desktop applications).

That list is not exhaustive at all though, representing only the most popular Electron-based applications. In total there are several hundred such applications. A more or less complete list of them can be found on a special page on the official website of the framework (but, it seems, not all of them are listed even there).

List of Electron-based applications

The list of Electron-based desktop applications comprises several hundred online services, including about 20 really popular ones. Source

Security considerations

So how to avoid the threats posed by uncontrolled browsers that thoughtful developers are now unpredictably embedding into desktop apps? I have three main tips regarding this:

  • Minimize the number of Electron-based apps as much as possible. It’s not as difficult as it seems: the very fact of using the framework normally suggests that the service has an extremely advanced web version, which is most likely on a par with the desktop application in terms of features and convenience.
  • Try to inventory all Electron-based apps used by your company’s employees, and prioritize their updates. More often than not, these are collaboration applications of different forms and shades — from Microsoft Teams, Slack, and Asana, to GitHub and Figma.
  • Use a reliable security solution. It will help you repel attacks in those periods when vulnerabilities are already known and being exploited but the patches haven’t yet been issued. By the way, Kaspersky products have an exploit protection system: it helps our experts detect the exploitation of new, as yet unknown vulnerabilities, and warns the developers of the corresponding programs about these holes.


#Electronbased #desktop #applications #secure

Oleh Diposting pada

Seueur perusahaan, khususna anu alit, henteu nganggo sistem khusus sapertos Slack atanapi Microsoft Teams pikeun komunikasi antara karyawan, tapi nganggo utusan biasa sapertos WhatsApp, Telegram sareng Signal. Sarta bari jalma leuwih resep versi mobile pikeun pamakéan pribadi, lamun datang ka kabutuhan gawe, loba install aplikasi desktop tanpa mere loba pamikiran kana kumaha aman aranjeunna.

Dina tulisan panganyarna kami ngeunaan kerentanan dina versi desktop Signal, kami nyerat yén “naséhat pangsaéna nyaéta henteu nganggo versi desktop Signal (sareng versi desktop messenger sacara umum)”. Tapi kusabab alesanana henteu langsung jelas, di dieu kami ngajelaskeun sacara rinci kakurangan utusan desktop nalika datang ka cybersecurity.

Catet yén urang ngobrolkeun ngeunaan versi desktop tina aplikasi olahtalatah “sipil” (sapertos Telegram, WhatsApp, sareng Signal) – sanés platform perusahaan sapertos Slack sareng Microsoft Teams, anu sacara khusus diadaptasi pikeun prosés kerja (sareng ku kituna beroperasi rada béda. teu katutupan dina bagian ieu). tulisan ieu).

1. Aplikasi di luar, browser di jero

Salah sahiji hal anu penting pikeun ngartos ngeunaan vérsi desktop utusan nyaéta kalolobaanana diwangun dina luhureun kerangka éléktron. Naon dasarna ieu hartosna program sapertos kitu, di jero, aplikasi wéb anu dibuka dina browser Chromium anu dipasang.

Ieu sabenerna alesan utama naha éléktron jadi populer di kalangan pamekar utusan desktop: kerangka ngajadikeun eta gancang jeung gampang nyieun aplikasi nu ngajalankeun on sagala sistem operasi. Nanging, ieu ogé hartosna yén program anu diwangun di luhur Éléktron sacara otomatis ngawariskeun sadaya kerentananna.

Dina waktos anu sami, urang kedah ngartos yén, kusabab popularitasnya anu ageung, Chrome sareng Chromium sok janten sorotan. Cybercriminals rutin manggihan kerentanan dina eta, sarta gancang nyieun exploitasi kalawan déskripsi lengkep ngeunaan kumaha carana make eta. Dina kasus browser Chrome mandiri normal, ieu sanés masalah anu ageung: Google responsif pisan kana inpormasi ngeunaan kerentanan sareng ngaleupaskeun patch sacara rutin. Pikeun tetep aman, anjeun ngan ukur kedah pasang apdet tanpa reureuh. Tapi lamun datang ka program dumasar kana éléktron, browser embedded meunang apdet ngan lamun pamekar ngaleupaskeun versi anyar tina aplikasi.

Janten naon anu urang tungtungna? Upami karyawan anjeun nganggo aplikasi anu diwangun dina éléktron, ieu hartosna aranjeunna gaduh sababaraha panyungsi anu dijalankeun dina sistemna anu eksploitasi sering muncul. Salaku tambahan, anjeun atanapi aranjeunna henteu tiasa ngontrol apdet pikeun panyungsi ieu. Langkung seueur aplikasi sapertos kieu, langkung ageung résiko anu aya. Ku kituna éta bakal wijaksana pikeun sahenteuna ngawatesan jumlah “sipil” utusan dipaké pikeun kaperluan gawé di pausahaan.

2. Patarosan konci

Salah sahiji daya tarik pangbadagna utusan modéren nyaéta pamakéan maranéhanana enkripsi tungtung-to-tungtung; nyaeta — dekripsi pesen merlukeun konci swasta pamilon obrolan, nu pernah ninggalkeun alat maranéhanana. Sareng salami teu aya anu terang konci enkripsi, koresponden anjeun aman dijagi. Tapi lamun panyerang meunang nyekel konci swasta, aranjeunna henteu ngan bisa maca korespondensi Anjeun, tapi ogé impersonate salah sahiji pamilon obrolan.

Sareng ieu dimana masalah sareng versi desktop utusan asalna: aranjeunna nyimpen konci enkripsi dina hard drive, anu hartosna aranjeunna gampang dipaling. Tangtosna, panyerang kedah kumaha waé aksés kana sistem, sebutkeun – ngalangkungan malware, tapi éta tiasa dilakukeun dina kasus sistem operasi desktop. Pikeun alat sélulér, fitur arsitékturna ngajantenkeun maok konci énkripsi langkung sesah – khususna jarak jauh.

Kalayan kecap séjén, ngagunakeun vérsi desktop utusan sacara otomatis sareng sacara signifikan ningkatkeun résiko yén konci enkripsi, sareng ku kituna damel susuratan, bakal tumiba kana panangan anu salah.

3. Beurit dina obrolan

Anggap sadayana lancar, sareng teu aya anu (acan) gaduh konci enkripsi karyawan anjeun: ieu hartosna sadaya korespondensi padamelan aman sareng saé, leres? Henteu teuing. Penjahat siber berpotensi ngagunakeun alat administrasi jauh ogé Trojans aksés jauh (duanana gaduh akronim anu sami – RAT) pikeun nanganan korespondensi padamelan. Beda antara aranjeunna rada simbolis: duanana légal parabot jeung haram Trojans bisa dipaké pikeun ngalakukeun loba hal metot jeung komputer Anjeun.

Beurit ngagambarkeun ancaman ngalawan klien utusan desktop, teu sapertos mitra sélulérna, praktis teu aya pertahanan. Program sapertos kitu ngamungkinkeun bahkan panyerang anu teu berpengalaman pikeun nahan eusi korespondensi rahasia. Dina utusan anu dijalankeun dina desktop, sadaya obrolan sacara otomatis didekripsi, janten henteu kedah maok konci pribadi. Saha waé dina modeu desktop jauh tiasa maca korespondensi anjeun, sanaos dilakukeun dina utusan anu paling aman di dunya. Sareng henteu ngan ukur maca, tapi ogé nyerat pesen dina obrolan padamelan dina kedok karyawan perusahaan.

Sumawona, alat administrasi jauh mangrupikeun program anu sah, sareng sadaya akibat anu salajengna. Anu mimiti, teu sapertos malware, anu kedah dicandak tina pojok poék internét, aranjeunna tiasa dipendakan sareng diunduh sacara online tanpa masalah. Kadua, henteu sadayana solusi kaamanan ngingetkeun pangguna upami alat aksés jauh kapanggih dina komputerna.

4. Naon dina kotak?

Alesan anu sanés pikeun ngahindarkeun panggunaan klien desktop tina utusan populér nyaéta résiko aranjeunna tiasa dianggo salaku saluran tambahan anu teu dikontrol pikeun ngirim file jahat ka komputer karyawan anjeun. Tangtosna, anjeun tiasa nyandak ti mana waé. Tapi lamun datang ka kantétan surélék tur, komo deui, file diundeur ti internét, paling jalma sadar potensi bahaya. Tapi file anu ditampi dina utusan, khususna anu diposisikan aman, ditingali béda: “naon anu salah di dieu?” Ieu khususna upami file asalna ti batur sapagawean: “teu aya anu matak hariwang” mangrupikeun pandangan umum.

Kerentanan anu dipendakan dina versi desktop Signal anu aya hubunganana sareng cara utusan nanganan file (dijelaskeun dina postingan panganyarna kami) janten conto. Eksploitasi kerentanan ieu ngamungkinkeun panyerang pikeun nyebarkeun dokumen anu katépaan sacara rahasia pikeun ngobrol pamilon anu pura-pura janten salah sahijina.

Ieu ngan ukur hiji skenario hipotétis anu nunjukkeun kamampuan téknis canggih tina panyerang. Batur ogé teu bisa dileungitkeun: ti mailings massal dumasar kana database dipaling kana serangan sasaran maké rékayasa sosial.

Deui, sistem operasi mobile anu leuwih ditangtayungan tina malware, jadi masalah ieu kirang akut pikeun pamaké klien utusan mobile. Counterparts desktopna ngagaduhan résiko anu langkung ageung pikeun narik sababaraha jinis malware ka aranjeunna.

5. Urang kudu boga shotgun pikeun nurun ieu hal

Ancaman tradisional teu kedah dipopohokeun. Solusi kaamanan khusus di tingkat gateway mail perusahaan ngalaksanakeun panyalindungan ngalawan kantétan jahat sareng phishing. Tapi dina kasus klien utusan desktop, hal-hal anu langkung rumit. Henteu aya solusi anu tiasa ngarobih bursa pesen énkripsi tungtung-ka-tungtung nganggo server utusan sorangan; objék bahaya ngan bisa bray di kaluar, nu ngurangan tingkat panyalindungan.

Sakali deui, ieu jauh tina masalah dina alat sélulér. Aranjeunna langkung hese ngainféksi malware, sareng langkung sakedik file penting anu disimpen di dinya. Salaku tambahan, gerakan gurat dina jaringan perusahaan saatos serangan anu suksés dina alat sélulér sigana moal gaduh akibat anu sami.

Utusan desktop dina komputer kerja nyayogikeun saluran komunikasi anu henteu ngan ukur teu kakadalian ku pangurus jaringan, tapi ogé aman tina tindakanna; sarta ti kaayaan ieu hal pisan jahat bisa timbul.

Nyegah langkung saé tibatan ngubaran sareng nyalahkeun

Urang tungtung dasarna dimana urang dimimitian: sakumaha disebutkeun dina bubuka, tip anu pangsaéna nyaéta henteu nganggo versi desktop messenger. Upami kusabab sababaraha alesan éta sanés pilihan, sahenteuna nyandak sababaraha pancegahan dasar:

  • Pastikeun pikeun masang software kaamanan dina alat gawé. Nyatana, ieu mangrupikeun hiji-hijina cara pikeun ngajagi tina hal-hal jahat anu tiasa dirayap ku utusan kana jaringan perusahaan anjeun.
  • Upami karyawan anjeun nganggo langkung ti hiji utusan pikeun tujuan damel, cobian ngeureunkeun prakték ieu. Pegatkeun sambungan hiji jeung blok sésana.
  • Ogé, pantau alat aksés jauh anu dipasang sareng dianggo dina alat kerja.
  • Ku jalan kitu, Kaspersky Endpoint Security Cloud kami gaduh fitur Cloud Discovery, anu ngalacak usaha karyawan nganggo jasa awan anu henteu disatujuan.
  • Sareng ngajantenkeun sadaya ukuran ieu langkung efektif sareng dina waktos anu sami nunjukkeun kabutuhan mutlakna, nyayogikeun pelatihan kaamanan inpormasi pikeun karyawan bakal ngabantosan.


#Naha #anjeun #henteu #kedah #nganggo #utusan #desktop