Electron-Based Application Vulnerabilities Hit VS Code, Microsoft Teams – Visual Studio Magazine

Information

Electron primarily based on Hit VS Code utility vulnerabilities, Microsoft Groups

A research team recently reported on vulnerabilities in functions built in the open-source Electron framework for building desktop functions with JavaScript, HTML, and CSS.

This camp has Visible Studio Code and Microsoft Groups.

The presentation, which featured a team of Electrovolt security specialists performing code reviews, penetration testing and design assessment advice, was Pwning Popular Desktop Applications as they learned about the brand new assault floor to Electron.

They have often pwned, they have succeeded remote code execution (RCE) – where an attacker remotely executes instructions on the victim’s computing device – in 20 Electron-based functions. Besides VS Code and Microsoft groups, this checklist contains Discord, JupyterLab, Mattermost, Rocket.Chat, Notion, BaseCamp and others.

[Click on image for larger view.] electronic structure (power supply: Electrovolt/Black Hat).

The team presented three takeaways from the analysis, which related to accessing RCE by asking customers to click on links sent to them in apps:

  • Electron apps are the competitor’s (or pink team’s) best focus, as customers will click anywhere or open messages.
  • Dig deep into the framework you’re auditing and don’t limit yourself to just the appliance layer.
  • Reduce the assault level in functions as much as possible. (Specific URL redirect may also one day be turned into RCE)

The team has blogged about a variety of scans over the past few months, including one titled Visible Studio Code – Distant Code Execution in Restricted Mode (CVE-2021-43908).

“Everyone knows that VSCode is probably one of the most widely used electronic lenses. As part of our analysis of Electron function hacking, we thought it might be worth using VSCode and we have been able to use VSCode, without using any of our fancy new stuff,” including this TL;DR in the post. He said, “Remote code execution can be performed when the victim opens a file from markdown in a maliciously crafted VSCode challenge or perhaps a folder in VSCode Restricted Mode.

Related Article Widepread Vulnerabilities and Exposures (CVE) No. 2021 Fix 43908 (“Visible Studio Code Spoofing Vulnerability”) was actually released last December, resulting in a corresponding $3,000 bug bounty from Microsoft Safety Response Heart.

There was also no blog post for the Microsoft Groups vulnerability that paid a $3,000 bounty and was associated with reading native news.

To protect against unpatched vulnerabilities, the crew really used the following mitigations:

  • Allow all security flags
  • Don’t use integrations that don’t have a great security track record (3rd party integration)
  • Mitigate vulnerabilities (XSS, Open URL Redirection, etc.) on all of your assets (as well as subdomains)
  • Upgrade Electron often to check the patch hole won’t be large
  • Do not implement tricky IPC on the prevailing course of
  • Ensure that all IPC message handlers correctly validate senderFrame
  • If you are deploying your individual library that mixes browser and application level code, make sure there is adequate separation

Apparently, the presentation included a lot of dialogue about turbines and sandboxes, and this month’s Electron 20.0. nodeIntegration: true Where sandbox: false specified.”

Electrovolt researchers involved in the project were Mohan Sri Rama Krishna, Max Garrett, Aaditya Purani and William Bowling.

about the creator

David Ramel is the publisher and creator of Converge360.


Source link

Comments are closed.