Oleh Diposting pada

Early this year I gave you five reasons to avoid desktop versions of messengers. The fact that many such applications use the Electron framework is one of them. This means that such a messenger works as an additional browser in your system, and its updates are quite difficult to control.

But, as I wrote in that post, it has become clear the problem is much more widespread — affecting not only messengers but hundreds of other apps as well. Chances are, because of Electron-based apps, you have a many more browsers than you think in your system this very minute…

What is Electron, and why do application developers want to use it?

Electron is a cross-platform desktop application development framework that employs web technologies — mostly HTML, CSS, and JavaScript. It was originally created by GitHub for its source code editor Atom (hence its original name — Atom Shell). Later on the framework was renamed Electron, ultimately evolving into an extremely popular tool used to create desktop applications for various operating systems, including Windows, macOS, and Linux.

Electron framework official site

Main page of the Electron framework official site. Source

Electron itself is based on the Chromium browser engine, which is responsible for displaying web content within a desktop application. So any Electron application is effectively a single website opened in the Chromium browser.

Users usually have no idea at all how the thing works. From their point of view, an Electron application is just another program you install, run in the usual way, give access to some files, occasionally update to the newest version, and so on.

Why has Electron grown so popular with developers? The idea is mainly this: no matter what digital service one might want to create, a web version is still needed. And the Electron framework allows you to develop just the web version and, based on it, produce full-fledged apps for all the desktop operating systems out there.

Electron’s other convenience features include making installation packages, their diagnostics, publication to app stores, and automatic updates.

Mullvad VPN uses the Electron framework, too

Et tu autem, Brute! You can find Electron in apps you least expect to

Summing up, the Electron framework is popular among developers — most particularly as it allows to greatly accelerate and simplify the application development process for all desktop operating systems in one go.

Issues with Electron-based applications

Electron-based applications have a number of drawbacks. The most obvious from the users’ perspective is their sluggishness. Electron-based software is usually resource-intensive and suffers from excessive file size. No wonder: each such app carries its whole home on its back like a snail a full-blown Chromium browser. In effect, it operates through that browser — serving as a sort of intermedium.

Next issue: web browsers are a favorite target of cybercriminals. It’s worth repeating: inside every Electron-based app there’s a separate instance of the Chromium web browser. This means your system may have a dozen additional browsers installed, all of which present a tempting target for criminals.

New, serious vulnerabilities pop up almost weekly in a popular browser like Chrome/Chromium: so far this year more than 70 high, and three critical severity-level vulnerabilities have been found in Chromium as of the time of writing. Worse yet, exploits for the world’s most popular browser’s vulnerabilities appear really quick. This means that a good part of Chrome/Chromium holes are not just abstract bugs you treat as a matter of routine — they’re vulnerabilities that can be used for attacks by cybercriminals out in the wild.

List of Chrome/Chromium vulnerabilities found in the first eight months of 2023

Even in fine print, Chromium vulnerabilities found so far in 2023 take up several screens. Source

For the standalone Chrome browser, this isn’t such a serious problem. Google is very quick to release patches and rather persistent in convincing users to install them and restart their browser (it even thoughtfully re-opens all their precious tabs after restarting so they don’t need to fear updating).

Things are very different for the Electron-based apps. A Chromium browser built into such an app will only get patched if the app’s vendor has released a new version and successfully communicated to users the need to install it.

So it appears that, with a bunch of installed Electron apps, not only do you have multiple browsers installed on your system, but also little to no control over how updated and secure those browsers are, or how many unpatched vulnerabilities they contain.

The framework’s creators know full well about the problem, and strongly recommend that app developers release patches on time. Alas, users can only hope that those recommendations are followed.

And here’s a fresh example: On September 11, Google fixed the CVE-2023-4863 vulnerability in Google Chrome. At that point, it was already actively exploited in the wild. It allows a remote attacker to perform an out of bounds memory write via a crafted HTML page, which can lead to the execution of arbitrary code. Of course, this bug is present in Chromium and all Electron-based applications. So, all companies using it in their applications will have to work on updates.

Which desktop applications are based on Electron?

Not many folks seem to know how incredibly common Electron-based desktop applications are. I’ll bet you are using more than one of them. Check them out yourself:

  • 1Password
  • Agora Flat
  • Asana
  • Discord
  • Figma
  • GitHub Desktop
  • Hyper
  • Loom
  • Microsoft Teams
  • Notion
  • Obsidian
  • Polyplane
  • Postman
  • Signal
  • Skype
  • Slack
  • Splice
  • Tidal
  • Trello
  • Twitch
  • Visual Studio Code
  • WhatsApp
  • WordPress Desktop

I personally use around a third of the apps from the list (but, for the record, none of them as desktop applications).

That list is not exhaustive at all though, representing only the most popular Electron-based applications. In total there are several hundred such applications. A more or less complete list of them can be found on a special page on the official website of the framework (but, it seems, not all of them are listed even there).

List of Electron-based applications

The list of Electron-based desktop applications comprises several hundred online services, including about 20 really popular ones. Source

Security considerations

So how to avoid the threats posed by uncontrolled browsers that thoughtful developers are now unpredictably embedding into desktop apps? I have three main tips regarding this:

  • Minimize the number of Electron-based apps as much as possible. It’s not as difficult as it seems: the very fact of using the framework normally suggests that the service has an extremely advanced web version, which is most likely on a par with the desktop application in terms of features and convenience.
  • Try to inventory all Electron-based apps used by your company’s employees, and prioritize their updates. More often than not, these are collaboration applications of different forms and shades — from Microsoft Teams, Slack, and Asana, to GitHub and Figma.
  • Use a reliable security solution. It will help you repel attacks in those periods when vulnerabilities are already known and being exploited but the patches haven’t yet been issued. By the way, Kaspersky products have an exploit protection system: it helps our experts detect the exploitation of new, as yet unknown vulnerabilities, and warns the developers of the corresponding programs about these holes.


#Electronbased #desktop #applications #secure

Oleh Diposting pada

Previous posts in our back-to-school series have covered how to protect your child’s devices and explain the importance of cybersecurity in school. Today we talk about the core, and often unavoidable, apps used in modern education. This means electronic diaries and virtual classrooms, plus videoconferencing for distance learning. They are all insecure.

Electronic diaries

Electronic study-diaries and virtual classroom websites are used these days to help administer  the educational process. Educators use them to share lesson schedules, homework assignments, and announcements. And parents can see their kids’ grades, or even chat with their teachers.

The main problem with such web applications is the substandard protection of personal data that’s provided. In 2020, the attorney general of the U.S. state of New Mexico even filed a lawsuit against Google Classroom, citing the company’s alleged practice of collecting personal data from children and using it for commercial purposes. And in 2022, the Dutch Ministry of Education introduced a number of restrictions on the use of Google services in schools for the exact same reason.

Unfortunately, in most cases parents have no control over what services schools decide to use. The story of Google Classroom is by no means the worst. Issues with the service have been openly discussed for a long time, and Google has been forced to take note and beef up its protection. But, as a father of three, I’ve had the (mis)fortune of seeing other electronic diaries in action, where the situation with personal data storage and transfer is nothing if not murky.

What can parents do about this? Asking the school for all details about privacy and personal data usage in all services you need is a good start. And teach your kid how to leave as little personal data as possible on such sites.

Videoconferencing

The covid lockdown was a big eye-opener for many kids: turns out you don’t need to go to school! Lessons suddenly became more fun but for the wrong reasons: my daughter chats with her teacher in one window — and watches a movie or plays a game in another (or on a different device).

Such distance “learning” only adds to the worries of parents. Even before covid, we had to monitor what our kids were downloading, since banking Trojans, spyware and ransomware are forever sneaking in under the guise of legal apps — even in Google Play and other official stores. But at least in school they were less exposed to such threats, because internet usage was not generally a part of in-class learning.

With the distance-learning revolution, however, there are now even more apps on our kids’ tablets for us parents to fret about, as well as unlimited internet use for “study” purposes.

And although the lockdowns are long over, many schools continue to practice distance learning for some classes. Meanwhile, Zoom, Teams, and other videoconferencing platforms remain vulnerable to attacks. The most obvious consequence of such attacks, as before, is personal data leakage. But it can get worse: if a malicious third party were to gain access to a virtual classroom, they might show some decidedly “non-kid-suitable” videos.

And even if parents are versed in the safe hosting of video chats, they are unlikely to be able to influence the school’s choice of tools. Here, too, you should ask the school for an explanation as to why an insecure program was chosen.

In addition, you need to teach your kids the basic safety rules of using such apps. In particular, your child should learn to turn off both the microphone and camera when not required, as well as to blur the background and disable screen-sharing by default. And of course, your child should never accept video chat invitations from strangers — or communicate with any if they do show up uninvited to a video conference.

And it goes without saying that all devices your child uses should be protected with a reliable security solution — one that guards against viruses and personal data leaks on computers and mobile devices, and keeps your kid’s privacy intact. Remember that with your free annual subscription to Kaspersky Safe Kids as part of Kaspersky Premium, in addition to total protection for all devices, you get powerful parental controls over your child’s online activity and offline location.


#Backtoschool #threats #virtual #classrooms #videoconferencing