Comment

Don’t forget to update ALL web browsers on ALL platforms, plus at least Electron apps.

Summary

The article discusses the security of Electron-based desktop applications and highlights several key points:

Introduction to Electron: Electron is a popular cross-platform desktop application development framework that uses web technologies like HTML, CSS, and JavaScript. It enables developers to create desktop applications for various operating systems based on web versions.

Advantages of Electron: Electron is favored by developers for its ability to streamline the development process for desktop apps across multiple operating systems. It also offers features for packaging, diagnostics, app store publication, and automatic updates.

Issues with Electron-Based Apps: Electron-based applications are known for being resource-intensive and having large file sizes. Additionally, they incorporate a Chromium web browser instance, making them potential targets for cybercriminals. Frequent vulnerabilities in Chromium can pose security risks, and Electron apps may not always receive timely updates.

Lack of Control: Users often have limited control over the Chromium instances within Electron apps, as updates depend on the app’s vendor. This lack of control can lead to unpatched vulnerabilities and security concerns.

Common Electron-Based Applications: The article lists popular applications that are based on Electron, including 1Password, Agora Flat, Asana, Discord, Figma, GitHub Desktop, Hyper, Loom, Microsoft Teams, Notion, Obsidian, Polyplane, Postman, Signal, Skype, Slack, Splice, Tidal, Trello, Twitch, Visual Studio Code, WhatsApp, and WordPress Desktop.

Security Recommendations: To mitigate security risks associated with Electron-based apps, the article suggests the following measures:

  1. Reduce the number of Electron-based apps in use, as these apps typically have feature-rich web versions that may suffice.

  2. Maintain an inventory of Electron-based apps used within an organization and prioritize their updates, especially for collaboration tools.

  3. Employ a reliable security solution to protect against attacks targeting known vulnerabilities.

In summary, while Electron-based desktop applications offer cross-platform convenience for developers, they come with security challenges due to their Chromium integration and update dependencies. Users are advised to be cautious, minimize their use of such apps, and prioritize security measures to mitigate potential risks.

Electron app list, although apparently not including some apps: https://www.electronjs.org/apps

  • @deafboy
    link
    English
    01 year ago

    If the professionals in other fields did what we’re doing in IT, they would be in jail.

    • DreamButt
      link
      English
      61 year ago

      Eh, I think it has more to do with A) inherent complexity and B) the age of the industry. Like a real system is too complex for any one individual to understand. For instance anyone who says they actually understand how memory works hasn’t actually dug a level deeper yet. The real experts all agree no one truly knows we just inherently trust the old research papers about c/cpp (there was a great discussion from some of the Rust guys that I’ll slap in here if I find it again). As for the second point. It’s pretty obvious that there are hundreds of competing standards for everything. And no one agrees yet on the clear winner. So I hear your sentiment but I dont think it’s really that simple

      • @deafboy
        link
        English
        01 year ago

        I get your argument, and raise you this.

        Imagine a medical doctor after an unsuccessful operation: “It was the scalpel makers fault. He simply does not understand how the metallurgy works”.

        Or an airplane disaster investigator saying: “We couldn’t have known this screw, made by a 16 years old furniture designer, could contain a screw-hole validation bug that would manifest itself in our use-case.”

        I love the rapid prototyping that’s possible thanks to everyone having an easy access to a computer. It’s what makes the progress happen so incredibly fast.

        It’s just… when you sit in front of the terminal in the evening, watching the npm build finish with 53 critical CVEs, when you stop and think for a moment… how the hell are we all still alive?

        • DreamButt
          link
          English
          3
          edit-2
          1 year ago

          Well I think the biggest difference there is most software isn’t responsible for the safety of human lives. But even if we want to ignore that aspect and take your example of a doctor. Is a bone doctor responsible for an unforseen throat-nose-ear type issue?

          Or to bring it back to the original context. Is a frontend dev responsible for what the backend developer does? Is the network guy responsible for the data they process? Yeah? How far do they have to verify? Do they need to go read the SSL spec and spend an entire year learning the repo that manages the version they use? Do they need to comb through every single RFC since the dawn of the internet? Obviously I’m being a bit if an ass with these examples but it’s important we talk about how far we expect due diligence to go

          I completely agree that the industry isnt at an acceptable place with things, but I think calling it unethical/illegal in the average case is a bit of a stretch. Maybe you’re right in that there are some obvious cases we could solve for today though (dependency scanners do exist after all)