Oddbean new post about | logout
Taggart :donor: | 1 years ago (raw) | export | reply | flag 
 Okay, a continually-updated list of Electron apps and their Electron versions, and whether they're vulnerable to #CVE_2023_5129.

https://docs.google.com/spreadsheets/d/1QLLFYCO0FMAu1ob6mnYCapW8dnx-HXunbf_zc9QLXlM/edit?usp=sharing


And for those of you who refuse to click on Google links: https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec
8905f3d6 | 1 years ago (raw) | root | parent | reply | flag 
 @663e5b60 bUt GitHuB IS OwNed by MiCrO$ofT! I only click certified organic open source links!
fd78ea49 | 1 years ago (raw) | root | parent | reply | flag 
 @663e5b60 This is phenomenal!
66d44b9b | 1 years ago (raw) | root | parent | reply | flag 
 @663e5b60 Thanks, dude!
Michael Darweesh ☑️ | 1 years ago (raw) | root | parent | reply | flag 
 @663e5b60 Is this relevant (the current version of Authy Desktop MacOS): 
/Applications/Authy Desktop.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework
Chrome/96.0.4664.174 Electron/16.2.8
dcf60216 | 1 years ago (raw) | root | parent | reply | flag 
 @663e5b60 you are a beautiful and unique snowflake. Thank you!
April King | 1 years ago (raw) | root | parent | reply | flag 
 @663e5b60 I’ve also put together this, to get a list of all your Electron apps, at least on macOS.

https://gist.github.com/april/3da7c3720b0d9f3ee7dc9a95f623578d
51127248 | 1 years ago (raw) | root | parent | reply | flag 
 @663e5b60 How can folks contribute?

VULNERABLE:

* Twilio's Authy Desktop is currently at Electron 16.2.8.
* ExpanDrive is currently at 22.3.1.
* Jabra Direct is currently at 16.2.2.
* MuteMe is currently at 23.2.2.

REMEDIATED:

* PolyPane (as of this morning!) is at Electron 26.2.4.
Taggart :donor: | 1 years ago (raw) | root | parent | reply | flag 
 A lot of folks seem confused about how this list was created. I tried to be maximally transparent on this account about my process (and got teased for my rapid prototyping Python for my troubles!). 

Here's how the list of Electron apps was assembled.

Recognizing that the Wikipedia list that one security research firm was using was woefully incomplete, I went to the Electron Website to see what they had to say about it. 700+ apps were listed, which seemed like a good starting point.

Every app listing had a name of course, and if it was open source, a link to a repo. Since I was already there, I used a little JavaScript to slice the page and grab the app name and repo in a usable CSV format.

I then imported that list into Python for further work. Using requests, I attempted to locate a package.json in the root of each repo (I'm working on improving this process for common subdirs). If the file mentioned electron as a dependency, the version was extracted and assigned. The version was checked against our known-patched versions, and further evaluated.

What is not happening is me manually reviewing a couple hundred repositories, nor me installing 700+ electron apps to ascertain versions. 

This list is best effort. It is by no means perfect. But I'm going to try to improve it some in the next day or so.