Google refuses to fix Remote Code Execution Vulnerabilities in Chromium 59. Unpatched Electron & CEF Apps are Vulnerable!

[AlTech]

Individuals identified issues in Chromium 59 causing remote code execution. Google was unable to replicate the issue in Chromium 60 and thus decided not to patch it.

 

So now, Electron apps and any version of Chromium not using Chromium 60 is affected by this. GitHub has applied a patch to their copy of the Chromium Source Code and Electron and has issues 2 bug fix updates (1.7.8 and 1.6.14).

 

However, any recent Electron based app such as Slack, potentially Discord, Microsoft Teams and Chromium or CEF based apps like Spotify could still be unpatched. 

 

I urge you not to use any of the aforementioned apps until you can positively safely say that they are no longer at risk.

 

"A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the sandbox option is enabled.
We’ve published two new versions of electron 1.7.8 and 1.6.14, both of which include a fix for this vulnerability. We urge all Electron developers to update their apps to the latest stable version immediately:"

 

Google not patching Chromium 59 despite not being the current latest version is still incredibly disappointing. I expected better from Google... 

 

Source:

https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix

[porina]

Isn't the fix for any app still using 59 simply to move to 60? A patch for 59 would still require an update for the user.

[AlTech]

Just now, porina said:

Isn't the fix for any app still using 59 simply to move to 60? A patch for 59 would still require an update for the user.

Electron doesn't move to each new Chromium version. they skip a version and so does CEF and Cef based products.

 

E.g. 55 -> 57 -> 59

 

GitHub had to patch Chromium 59 since Google was unwilling to do so.

 

To upgrade Chromium version in Electron would be a somewhat significant undertaking.

[AlTech]

6 minutes ago, huilun02 said:

Technically the fix to 59 is 60... 

Google has done their duty of care for the end product they provide. Electron and other apps are not Google products. Not defending Google here, but thread title appears to be deliberately worded to make Google look like the bad guy. 

Because Google is the bad guy.

 

Not everybody is able to update their version of Chromium every time a new Chromium version comes out.

 

The Chromium Embedded Framework and Electron are incredibly popular and used on millions of devices. Google should know better than to screw over the millions of users running CEF or Electron apps.

 

Which is why it's a shame there isn't an alternative to Electron or CEF which uses Gecko.

[iamdarkyoshi]

If they were unable to replicate the issue, then how would they patch it?

[AlTech]

4 minutes ago, iamdarkyoshi said:

If they were unable to replicate the issue, then how would they patch it?

They couldn't replicate it in the latest version (60) when the issue was in 59.

 

So they decided that they didn't need to patch 59 cos 60 was available. This screws over anybody who was using 59 (basically everybody except for Google, Opera and Vivaldi)

[AlTech]

17 minutes ago, huilun02 said:

Sigh. 

Alright Google is the bad guy. Onus is on them to cure cancer and end world hunger. Nevermind that Google was never obliged to start the FOS Chromium project in the first place. 

Gotta love FOSS .

[Sniperfox47]

2 hours ago, AluminiumTech said:

They couldn't replicate it in the latest version (60) when the issue was in 59.

 

So they decided that they didn't need to patch 59 cos 60 was available. This screws over anybody who was using 59 (basically everybody except for Google, Opera and Vivaldi)

Again Electron isn't their project. If the downstream project isn't merging the latest upstream version, it falls to that downstream to backport the patches for their apps. Always has, always will.

 

You'll notice the *vast* majority of FOSS projects only maintain active support for their latest version, and perhaps a LTS version, both for updates and security patches.

 

I'm a Google fanboy so take my words here with the salt they deserve, but this isn't really Google's problem to solve.

[HarryNyquist]

2 hours ago, AluminiumTech said:

They couldn't replicate it in the latest version (60) when the issue was in 59.

 

So they decided that they didn't need to patch 59 cos 60 was available. This screws over anybody who was using 59 (basically everybody except for Google, Opera and Vivaldi)

I'm not sure you understand how software development works. If it does not replicate in the latest version, the "fix" is then, logically, to use the latest version. That is solely the responsibility of the other software devs to upgrade their framework. This changes if and only if someone can replicate it in the latest version, which it doesn't seem like has occurred.

 

It's not up to google now, it's up to Electron/other devs to make sure they upgrade to the latest version ASAP.

[AlTech]

27 minutes ago, HarryNyquist said:

I'm not sure you understand how software development works. If it does not replicate in the latest version, the "fix" is then, logically, to use the latest version. That is solely the responsibility of the other software devs to upgrade their framework. This changes if and only if someone can replicate it in the latest version, which it doesn't seem like has occurred.

 

It's not up to google now, it's up to Electron/other devs to make sure they upgrade to the latest version ASAP.

Again, that's not how Electron and CEF work. 

 

Google could have easily patched Chromium 59. Electron and CEF aren't upgrading Chromium version to fix this. They're patching what Google failed to Patch. 

 

Electron and CEF can't simply introduce tons of backwards incompatible changes for the sake of fixing 1 bug. Nevermind how long it would take for them to upgrade.

[The Benjamins]

2 minutes ago, AluminiumTech said:

Again, that's not how Electron and CEF work. 

 

Google could have easily patched Chromium 59. Electron and CEF aren't upgrading Chromium version to fix this. They're patching what Google failed to Patch. 

 

Electron and CEF can't simply introduce tons of backwards incompatible changes for the sake of fixing 1 bug. Nevermind how long it would take for them to upgrade.

Google has patched Chromium 59 its called Chromium 60

[Dylanc1500]

1 minute ago, The Benjamins said:

Google has patched Chromium 59 its called Chromium 60

Just cross off the 60 and put 59.9.

[Drak3]

3 minutes ago, Dylanc1500 said:

Just cross off the 60 and put 59.9.

No, no.

 

Chromium 59.1 Update 1

With Google

[Dylanc1500]

15 minutes ago, Drak3 said:

No, no.

 

Chromium 59.1 Update 1

With Google

Good thing Google uses less than confusing version numbers/names.

[PlayStation 2]

I don't expect Google to do anything.

They're too busy worshipping unknown artists to care.

[Dylanc1500]

6 minutes ago, Dan Castellaneta said:

I don't expect Google to do anything.

They're too busy worshipping unknown artists to care.

No they are worshipping A.I. now.

[goodtofufriday]

5 hours ago, huilun02 said:

Technically the fix to 59 is 60... 

Google has done their duty of care for the end product they provide. Electron and other apps are not Google products. Not defending Google here, but thread title appears to be deliberately worded to make Google look like the bad guy. 

Disagree. 

 

Companies, including MS with XP, have been known to patch serious security flaws despite the usual fix being to upgrade. 

[The Benjamins]

27 minutes ago, Dylanc1500 said:

No they are worshipping A.I. now.

ALL HAIL, Way Of The Future!!

[Dylanc1500]

1 minute ago, The Benjamins said:

ALL HAIL, Way Of The Future!!

Oh great, now we are gonna end up with some cross between VIKI and SkyNet.

[vanished]

I'm already on 61 so at least that's not an issue for the browser, but you raise a good point about apps that have integrated it into themselves.  Do you know if there's a way to tell what they're using internally?  Furthermore, if google patched the code, would these apps not need to be updated in order to include it anyway?  If so, I see this whole thing as a non-issue since if they're gonna update to a patched 59 they may as well just upgrade to 60 or higher.

[AlTech]

 

4 minutes ago, Ryan_Vickers said:

  Do you know if there's a way to tell what they're using internally? 

There should be in the case of Electron although with Discord it's damn near impossible to figure out.

4 minutes ago, Ryan_Vickers said:

Furthermore, if google patched the code, would these apps not need to be updated in order to include it anyway?  If so, I see this whole thing as a non-issue since if they're gonna update to a patched 59 they may as well just upgrade to 60 or higher.

It's not that simple unfortunately. Electron deals with APIs and thus moving from Chromium 59 to 60 could yield backwards incompatible changes which are not suitable bug fixes.

 

In this case, GitHub patched Electron since Electron is based off of Chromium.

[vanished]

6 minutes ago, AluminiumTech said:

 

There should be in the case of Electron although with Discord it's damn near impossible to figure out.

It's not that simple unfortunately. Electron deals with APIs and thus moving from Chromium 59 to 60 could yield backwards incompatible changes which are not suitable bug fixes.

 

In this case, GitHub patched Electron since Electron is based off of Chromium.

I was looking here, and I'm not sure if I'm interpreting this right but it looks like Google only considers the latest stable version to be "current" (ie, not discontinued).  I would have thought they'd maintain a few, but I guess this news is a sign they don't.  So, to them patching 59 would be like MS patching XP at this point ¯\_(ツ)_/¯

[vorticalbox]

1 hour ago, goodtofufriday said:

Disagree. 

 

Companies, including MS with XP, have been known to patch serious security flaws despite the usual fix being to upgrade. 

Which ultimately holds back everything.

 

Take Windows XP, think for a moment that you are an IT technician and you have for the last few years been trying to update systems from XP. Now you boss was close to saying yes but then MS patched XP your main argument of "it's no longer supported" is void and your systems yet again sit on on software.

 

Google has taken the right approach here when it is not supported it is NOT supported and get no updates no matter what the flaw is.

[LAwLz]

Holy fuck your fanboyism for Microsoft and hatred for their competitors knows no bounds... 

 

Google did not refuse anything. They have fixed the issue and released an update. That update is version 60 of Chromium. If some other developer don't want to use the patched version then that is their issue, not a Google's. 

 

If Electron has decided that they only update to each second Chromium release then they will be behind 50% of the time. 

[divito]

I'm not sure if the OP is trolling or is really this obtuse. Google has updated their product, and these other developers refusing to use the latest release are the ones that are putting their users at risk.