"Security Analysis Leads to Discovery of Vulnerabilities in 18 Electron Applications"
A team of researchers from various companies has analyzed Electron-based desktop applications and discovered vulnerabilities in several widely used pieces of software. The researchers stated that Electron is a free and open source framework for developing cross-platform desktop applications. It has been used to build some very popular applications, including Microsoft Teams, WhatsApp, and Slack. The research project targeting Electron apps has been dubbed ElectroVolt. In total, the researchers identified vulnerabilities in 18 applications. Impacted vendors have been informed, and they all released patches. The vulnerabilities have been found in Microsoft Teams, Discord, Visual Studio Code, Basecamp, Mattermost, Element, Notion, JupyterLab, and Rocket.Chat, among others. The researchers noted that nearly all of the exploits, many of which involve chaining several flaws, can lead to remote code execution on the targeted system. In Microsoft Teams, the researchers found a local file read issue. In many cases, minimal user interaction is required to trigger the exploits, such as clicking on a link or simply accessing a certain section of the application. Most of the flaws have been rated "critical," and the researchers earned approximately $60,000 for disclosing them to their respective vendors.