{"id":21709,"date":"2023-09-22T22:32:33","date_gmt":"2023-09-22T18:32:33","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/electron-framework-security-issues\/21709\/"},"modified":"2023-09-22T22:32:38","modified_gmt":"2023-09-22T18:32:38","slug":"electron-framework-security-issues","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/electron-framework-security-issues\/21709\/","title":{"rendered":"Security of Electron-based desktop applications"},"content":{"rendered":"

Early this year I gave you five reasons to avoid desktop versions of messengers<\/a>. The fact that many such applications use the Electron framework is one of them. This means that such a messenger works as an additional browser in your system, and its updates are quite difficult to control.<\/p>\n

But, as I wrote in that post, it has become clear the problem is much more widespread \u2014 affecting not only messengers but hundreds of other apps as well. Chances are, because of Electron-based apps, you have a many more browsers than you think in your system this very minute\u2026<\/p>\n

What is Electron, and why do application developers want to use it?<\/h2>\n

Electron is a cross-platform desktop application development framework that employs web technologies \u2014 mostly HTML, CSS, and JavaScript. It was originally created by GitHub for its source code editor Atom (hence its original name \u2014 Atom Shell). Later on the framework was renamed Electron, ultimately evolving into an extremely popular tool used to create desktop applications for various operating systems, including Windows, macOS, and Linux.<\/p>\n

\"Electron

Main page of the Electron framework official site. Source<\/a><\/p><\/div>\n

Electron itself is based on the Chromium browser engine, which is responsible for displaying web content within a desktop application. So any Electron application is effectively a single website opened in the Chromium browser.<\/p>\n

Users usually have no idea at all how the thing works. From their point of view, an Electron application is just another program you install, run in the usual way, give access to some files, occasionally update to the newest version, and so on.<\/p>\n

Why has Electron grown so popular with developers? The idea is mainly this: no matter what digital service one might want to create, a web version is still needed. And the Electron framework allows you to develop just the web version and, based on it, produce full-fledged apps for all the desktop operating systems out there.<\/p>\n

Electron\u2019s other convenience features include making installation packages, their diagnostics, publication to app stores, and automatic updates.<\/p>\n

\"Mullvad

Et tu autem, Brute! You can find Electron in apps you least expect to<\/p><\/div>\n

Summing up, the Electron framework is popular among developers \u2014 most particularly as it allows to greatly accelerate and simplify the application development process for all desktop operating systems in one go.<\/p>\n

Issues with Electron-based applications<\/h2>\n

\nElectron-based applications have a number of drawbacks. The most obvious from the users\u2019 perspective is their sluggishness. Electron-based software is usually resource-intensive and suffers from excessive file size. No wonder: each such app carries its whole home on its back like a snail<\/s> a full-blown Chromium browser. In effect, it operates through that browser \u2014 serving as a sort of intermedium.<\/p>\n

Next issue: web browsers are a favorite target of cybercriminals. It\u2019s worth repeating: inside every<\/em> Electron-based app there\u2019s a separate instance of the Chromium<\/strong> web browser. This means your system may have a dozen additional browsers installed, all of which present a tempting target for criminals.<\/p>\n

New, serious vulnerabilities pop up almost weekly in a popular browser like Chrome\/Chromium: so far this year more than 70 high, and three critical severity-level vulnerabilities<\/a> have been found in Chromium as of the time of writing. Worse yet, exploits for the world\u2019s most popular browser\u2019s vulnerabilities appear really quick. This means that a good part of Chrome\/Chromium holes are not just abstract bugs you treat as a matter of routine \u2014 they\u2019re vulnerabilities that can be used for attacks by cybercriminals out in the wild.<\/p>\n

\"List

Even in fine print, Chromium vulnerabilities found so far in 2023 take up several screens. Source<\/a><\/p><\/div>\n

For the standalone Chrome browser, this isn\u2019t such a serious problem. Google is very<\/em> quick to release patches and rather persistent in convincing users to install them and restart their browser (it even thoughtfully re-opens all their precious tabs after restarting so they don\u2019t need to fear updating).<\/p>\n

Things are very different for the Electron-based apps. A Chromium browser built into such an app will only get patched if the app\u2019s vendor has released a new version and successfully communicated to users the need to install it.<\/p>\n

So it appears that, with a bunch of installed Electron apps, not only do you have multiple browsers installed on your system, but also little to no control over how updated and secure those browsers are, or how many unpatched vulnerabilities they contain.<\/p>\n

The framework\u2019s creators know full well about the problem<\/a>, and strongly recommend that app developers release patches on time. Alas, users can only hope that those recommendations are followed.<\/p>\n

And here\u2019s a fresh example: On September 11, Google fixed the CVE-2023-4863<\/a> vulnerability in Google Chrome<\/a>. At that point, it was already actively exploited in the wild. It allows a remote attacker to perform an out of bounds memory write via a crafted HTML page, which can lead to the execution of arbitrary code. Of course, this bug is present in Chromium and all Electron-based applications. So, all companies using it in their applications will have to work on updates<\/a>.<\/div>\n

Which desktop applications are based on Electron?<\/h2>\n

\nNot many folks seem to know how incredibly common Electron-based desktop applications are. I\u2019ll bet you are using more than one of them. Check them out yourself:<\/p>\n