On top of this, rgod also discovered identical vulnerable patterns in applications that leveraged the Chromium Embedded Framework, a platform similar to Electron.js. Not long after the publication of the fix, Tomas Lažauninkas ( discovered the Exodus wallet application is also affected. This vulnerability is chosen to be one of the top 5 bug of the year because the impact of it goes beyond the aforementioned 4 products. Since Electron pulled the patch from an unrelated repo, it appears as though rgod found a bug collision. This patch was merged from a downstream product that is not a relevant part of rgod’s submission. These four distinct vulnerabilities are all collectively mitigated by a patch from Electron.js known as CVE-2018-1000006. It is the cool, new kid on the block of cross-platform desktop application frameworks, or Chromium in disguise. Electron is a development framework that allows developers to write cross-platform desktop clients using Node.js. While they are vastly dissimilar products, they share one thing in common - Electron.js. This blog actually details multiple bugs in the Electron framework that ended up receiving the same CVE.Įarly December 2017, we received a collection of protocol handler related remote code execution vulnerabilities residing in Windows desktop clients of Google Web Designer ( ZDI-18-552), Microsoft Teams ( ZDI-18-426), Skype ( ZDI-18-308), and Slack ( ZDI-18-265) from our long time research partner rgod. Each of these bugs has some element that sets them apart from the approximately 1,400 advisories released by the program this year. This is the second in our series of Top 5 interesting cases from 2018.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |