Electron-Based Application Vulnerabilities Hit VS Code, Microsoft Teams – Visual Studio Magazine
Vulnerabilities in electron-based applications hit VS Code, Microsoft Teams
In this camp are Visual Studio Code and Microsoft Teams.
Featuring a team of security experts from Electrovolt, who perform code reviews, penetration testing, and design review consulting, the presentation was titled Pwning Popular Desktop apps while learning about a new attack surface on Electron.
And pwn they did, performing remote code execution (RCE) — in which an attacker remotely executes commands on a victim’s computing device — on 20 Electron-based apps. Besides VS Code and Microsoft Teams, this list includes Discord, JupyterLab, Mattermost, Rocket.Chat, Notion, BaseCamp, and many more.
The team offered three takeaways from the research, which involved getting an NCE by getting users to click on links sent to them in apps:
- Electron apps are the ideal opponent (or red team) target, as users will click anywhere or open messages.
- Go deeper into the framework you are auditing and go beyond just the application layer
- Minimize the attack surface on applications as much as possible. (Open URL Redirection may also be turned into RCE one day)
Over the past few months, the team has published blog posts on several of the investigations, including one titled Visual Studio Code – Remote Code Execution in Restricted Mode (CVE-2021-43908).
“We all know that VSCode is one of the most widely used Electron apps. As part of our research on hacking Electronic apps, we thought it would be cool to pwn VSCode and we were able to pwn it. We were able to performing RCE on VSCode without being able to use any of our fancy new stuff,” the post said, adding this TL; DR: “Remote code execution may be achieved when a victim opens a markdown file in a maliciously crafted VSCode project or folder even in VSCode Restricted Mode.”
The fix for related Common Vulnerabilities and Exposures (CVE) article #2021 43908 (“Visual Studio Code Spoofing Vulnerability”), was actually released last December, resulting in a corresponding $3,000 bug bounty payment from the Microsoft Security Response Center.
There was no blog post for the Microsoft Teams vulnerability, which also paid a $3,000 bounty and had something to do with reading local files.
To protect against vulnerabilities that have not been patched, the team has proposed the following mitigations:
- Enable all security flags
- Don’t use integrations that don’t have a good security track record (3rd party integration)
- Mitigate security vulnerabilities (XSS, Open URL Redirection, etc.) on all your assets (even subdomains)
- Regularly upgrade Electron to ensure the patch gap is not large
- Do not implement sensitive IPC on main process
- Make sure all IPC message handlers correctly validate senderFrame
- Make sure that adequate separation is present if you deploy your own library that combines browser and application level code
Interestingly, the presentation included a lot of talk about renderers and sandboxes, and this month’s release of Electron 20.0.0 included this new feature: “Renderers are now sandboxed by default, unless
nodeIntegration: true Where
sandbox: false is specified.”
Electrovolt researchers participating in the project were Mohan Sri Rama Krishna, Max Garrett, Aaditya Purani and William Bowling.
David Ramel is an editor and writer for Converge360.