this post was submitted on 14 Sep 2023
31 points (91.9% liked)

Technology

59135 readers
2842 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Comment

Don't forget to update ALL web browsers on ALL platforms, plus at least Electron apps.

Summary

The article discusses the security of Electron-based desktop applications and highlights several key points:

Introduction to Electron: Electron is a popular cross-platform desktop application development framework that uses web technologies like HTML, CSS, and JavaScript. It enables developers to create desktop applications for various operating systems based on web versions.

Advantages of Electron: Electron is favored by developers for its ability to streamline the development process for desktop apps across multiple operating systems. It also offers features for packaging, diagnostics, app store publication, and automatic updates.

Issues with Electron-Based Apps: Electron-based applications are known for being resource-intensive and having large file sizes. Additionally, they incorporate a Chromium web browser instance, making them potential targets for cybercriminals. Frequent vulnerabilities in Chromium can pose security risks, and Electron apps may not always receive timely updates.

Lack of Control: Users often have limited control over the Chromium instances within Electron apps, as updates depend on the app's vendor. This lack of control can lead to unpatched vulnerabilities and security concerns.

Common Electron-Based Applications: The article lists popular applications that are based on Electron, including 1Password, Agora Flat, Asana, Discord, Figma, GitHub Desktop, Hyper, Loom, Microsoft Teams, Notion, Obsidian, Polyplane, Postman, Signal, Skype, Slack, Splice, Tidal, Trello, Twitch, Visual Studio Code, WhatsApp, and WordPress Desktop.

Security Recommendations: To mitigate security risks associated with Electron-based apps, the article suggests the following measures:

  1. Reduce the number of Electron-based apps in use, as these apps typically have feature-rich web versions that may suffice.

  2. Maintain an inventory of Electron-based apps used within an organization and prioritize their updates, especially for collaboration tools.

  3. Employ a reliable security solution to protect against attacks targeting known vulnerabilities.

In summary, while Electron-based desktop applications offer cross-platform convenience for developers, they come with security challenges due to their Chromium integration and update dependencies. Users are advised to be cautious, minimize their use of such apps, and prioritize security measures to mitigate potential risks.

Electron app list, although apparently not including some apps: https://www.electronjs.org/apps

you are viewing a single comment's thread
view the rest of the comments
[–] deafboy@lemmy.world 0 points 1 year ago (1 children)

If the professionals in other fields did what we're doing in IT, they would be in jail.

[–] tdawg@lemmy.world 6 points 1 year ago (1 children)

Eh, I think it has more to do with A) inherent complexity and B) the age of the industry. Like a real system is too complex for any one individual to understand. For instance anyone who says they actually understand how memory works hasn't actually dug a level deeper yet. The real experts all agree no one truly knows we just inherently trust the old research papers about c/cpp (there was a great discussion from some of the Rust guys that I'll slap in here if I find it again). As for the second point. It's pretty obvious that there are hundreds of competing standards for everything. And no one agrees yet on the clear winner. So I hear your sentiment but I dont think it's really that simple

[–] deafboy@lemmy.world 0 points 1 year ago (1 children)

I get your argument, and raise you this.

Imagine a medical doctor after an unsuccessful operation: "It was the scalpel makers fault. He simply does not understand how the metallurgy works".

Or an airplane disaster investigator saying: "We couldn't have known this screw, made by a 16 years old furniture designer, could contain a screw-hole validation bug that would manifest itself in our use-case."

I love the rapid prototyping that's possible thanks to everyone having an easy access to a computer. It's what makes the progress happen so incredibly fast.

It's just... when you sit in front of the terminal in the evening, watching the npm build finish with 53 critical CVEs, when you stop and think for a moment... how the hell are we all still alive?

[–] tdawg@lemmy.world 3 points 1 year ago* (last edited 1 year ago)

Well I think the biggest difference there is most software isn't responsible for the safety of human lives. But even if we want to ignore that aspect and take your example of a doctor. Is a bone doctor responsible for an unforseen throat-nose-ear type issue?

Or to bring it back to the original context. Is a frontend dev responsible for what the backend developer does? Is the network guy responsible for the data they process? Yeah? How far do they have to verify? Do they need to go read the SSL spec and spend an entire year learning the repo that manages the version they use? Do they need to comb through every single RFC since the dawn of the internet? Obviously I'm being a bit if an ass with these examples but it's important we talk about how far we expect due diligence to go

I completely agree that the industry isnt at an acceptable place with things, but I think calling it unethical/illegal in the average case is a bit of a stretch. Maybe you're right in that there are some obvious cases we could solve for today though (dependency scanners do exist after all)