Comment
Don’t forget to update ALL web browsers on ALL platforms, plus at least Electron apps.
Summary
The article discusses the security of Electron-based desktop applications and highlights several key points:
Introduction to Electron: Electron is a popular cross-platform desktop application development framework that uses web technologies like HTML, CSS, and JavaScript. It enables developers to create desktop applications for various operating systems based on web versions.
Advantages of Electron: Electron is favored by developers for its ability to streamline the development process for desktop apps across multiple operating systems. It also offers features for packaging, diagnostics, app store publication, and automatic updates.
Issues with Electron-Based Apps: Electron-based applications are known for being resource-intensive and having large file sizes. Additionally, they incorporate a Chromium web browser instance, making them potential targets for cybercriminals. Frequent vulnerabilities in Chromium can pose security risks, and Electron apps may not always receive timely updates.
Lack of Control: Users often have limited control over the Chromium instances within Electron apps, as updates depend on the app’s vendor. This lack of control can lead to unpatched vulnerabilities and security concerns.
Common Electron-Based Applications: The article lists popular applications that are based on Electron, including 1Password, Agora Flat, Asana, Discord, Figma, GitHub Desktop, Hyper, Loom, Microsoft Teams, Notion, Obsidian, Polyplane, Postman, Signal, Skype, Slack, Splice, Tidal, Trello, Twitch, Visual Studio Code, WhatsApp, and WordPress Desktop.
Security Recommendations: To mitigate security risks associated with Electron-based apps, the article suggests the following measures:
-
Reduce the number of Electron-based apps in use, as these apps typically have feature-rich web versions that may suffice.
-
Maintain an inventory of Electron-based apps used within an organization and prioritize their updates, especially for collaboration tools.
-
Employ a reliable security solution to protect against attacks targeting known vulnerabilities.
In summary, while Electron-based desktop applications offer cross-platform convenience for developers, they come with security challenges due to their Chromium integration and update dependencies. Users are advised to be cautious, minimize their use of such apps, and prioritize security measures to mitigate potential risks.
Electron app list, although apparently not including some apps: www.electronjs.org/apps
tdawg@lemmy.world 1 year ago
If the last twenty years have taught us anything it’s that software is inherently insecure
deafboy@lemmy.world 1 year ago
If the professionals in other fields did what we’re doing in IT, they would be in jail.
tdawg@lemmy.world 1 year ago
Eh, I think it has more to do with A) inherent complexity and B) the age of the industry. Like a real system is too complex for any one individual to understand. For instance anyone who says they actually understand how memory works hasn’t actually dug a level deeper yet. The real experts all agree no one truly knows we just inherently trust the old research papers about c/cpp (there was a great discussion from some of the Rust guys that I’ll slap in here if I find it again). As for the second point. It’s pretty obvious that there are hundreds of competing standards for everything. And no one agrees yet on the clear winner. So I hear your sentiment but I dont think it’s really that simple