PSA: a recently-fixed image parsing vulnerability in Chrome (and things that use Chrome, such as Electron apps) is being actively exploited in the wild. install your updates!
(nvd.nist.gov)
from cypherpunks@lemmy.ml to technology@lemmy.world on 15 Sep 2023 12:22
https://lemmy.ml/post/4958656
from cypherpunks@lemmy.ml to technology@lemmy.world on 15 Sep 2023 12:22
https://lemmy.ml/post/4958656
Chrome was updated September 11
Matrix Element Desktop updated September 15, without a changelog or advisory. (The Element update on September 13 did not include the updated electron with the fix; today’s update does, according to their announcement on Matrix.)
Many/most electron apps don’t receive timely security updates, so if you don’t want arbitrary images to be able to get code execution you might want to stop using them.
threaded - newest
Guess it’s time to finally retire Bromite
Have you tried Cromite? Its forked from Bromite by one of the original developers, except kept up to date and actively maintained, plus improved constantly, etc.
Can’t use it as I have a 32bit phone and the dev refuses to provide a 32bit binary (and won’t explain why, referring to some nonexistent past discussion)
Ah, that’s unfortunate. Then yeah, I guess your best bet is to stick to a Firefox based browser (that’s my recommendation personally, I use Mull), or if you still need Chromium, I think Brave is the best option atm.
I only use Bromite at this point for some streaming stuff which don’t work so well on FF based browsers, and Mulch always pauses playback when minimised… Bloody annoying. I didn’t want to use Brave, but I guess I might have to try it.
github.com/uazo/bromite-buildtools/issues/59
github.com/uazo/bromite-buildtools/issues/41
Edit: also:
github.com/uazo/cromite/issues/146
Okay
Are any modern phones really 32 bit only? What device are you running?
Not for a while, I have an oldish Motorola with Android 9, probably one of the last phones with 32b OS
(Don’t anyone dare tell me to “upgrade”)
Huh didn’t realize that would’ve come with 32 bit so recently. I ran a z2 force up until about 2 years ago when it stopped holding a charge. Those old Motorolas were great phones, but I haven’t found anything in their recent line that interested me. Ended up going with a Pixel 6 and then a 7 pro, my dad needed an update from his z2 force and it was cheaper if I just gave him mine and upgraded. Haven’t had any issues with the pixels, except for my sister dropping her 2xl and breaking the screen. Anything you get eventually though get unlocked. Tensor has a bunch of custom roms now so anything you upgrade will last for a while.
Well this was a 150 € phone when new so that’s a pretty different category than what you’re looking at. I wouldn’t be surprised if 32b was still a thing in the cheap Chinese phones.
If I ever get a chance to replace it, it will be extremely tough because it has a bunch of things which are indispensable for me that newer models simply don’t have.
What kind of stuff are you looking for?
Screen with no holes, physical dual SIM cards and mSD card, headphone jack, somewhat trustworthy manufacturer with no ads and bloat, easily unlockable bootloader. There should still be one German-made phone that still has all that and some more, if it still exists, although if I ever get to getting a new phone we’ll probably all be using brain implants so it may all be moot by that point. Don’t worry about it, I’m not looking for recommendations or anything, I know everyone thinks my demands are crazy.
Nah the demands aren’t crazy, they all used to be standard until the mass enshitification hit. My sister’s boyfriend found one that had almost all of those bar from the hole punch and the trustworthy manufacturer (some off brand Chinese company I don’t remember off the top of my head). Even had a thermal camera on it which was cool
There are a lot of phones that have some of the features - Sony has punchless displays, some cheap phones have headphone jacks, all the Motorolas have two SIMs, some phones have SD cards in shared slots, Pixels and some others have unlockable bootloaders, it’s just basically impossible to get one with all of this…
Thanks as a former Bromite user I had no idea this existed.
And Firefox and Thunderbird as well. Updates for everything are available.
Firefox version 117.0.1 haves the fix.
EDIT Also Tor got patched with 12.5.4.
Electron apps are such a joke, honestly.
VS Code is an awesome electron app
Discord is pretty bangin too
It’s almost like shit electron apps are shit because the developers are such a joke (honestly), not electron.
Using a whole browser as the base for your application just seems unnecessary. Then again, I do most things from my terminal.
The web is basically becoming a whole operating system and I hate it.
At this pace I predict the fabled “year of the Linux desktop” will arrive when local- processing desktops have been overrun by closed-off mobile devices and cloud services.
Discord has also been using ancient electron versions for a long while now (I don’t know if they’ve since updated to versions that haven’t been EoL’ed).
On Linux, I literally have a better experience using discord in my browser than the electron version.
Edit: looks like discord updated to Electron 22 in March 2023, with the update to Electron 23 happening maybe at the end of the year or early next year, according to this reddit post. So they’re getting better, but still a bit behind.
Not for me, Discord is slow af on my laptop. But do definitely agree it’s Discord’s fault in this case
Discord is a privacy invading pile of shit
I love vs code but electron causes issues: github.com/microsoft/vscode/issues/10121
On ArchLinux, many Electron apps use a central installation of Electron that is kept up to date by the package manager. That works pretty well.
Of course, snap-based distributions like Ubuntu and other systems without a proper package manager like macOS and Windows can’t do it like that.
That’s pretty cool. I’m wondering how often this leads to compatibility problems.
Still, nothing comes close to a native UI experience.
That’s not really well defined on Linux. It feels like every application comes with its own toolkit and its own behavior. Even on Windows, there is a mixture of three different generations of Windows UI systems (Windows XP-style, Windows 8-style, Fluent) that are completely different.
I keep hearing “exploited in the wild”, but does anyone have anything concrete on it — like, IoCs, PoC, victims … anything?
More reason I wish devs would stop using Electron and stick to PWAs. Then you only have to update a single browser.