back to article Electron patches patch after security researcher bypassed said patch

In an update last week, the developers of Electron – the toolkit used to craft widely used apps from Skype and Slack to Atom – shipped a patch to their January patch, and now, an infosec researcher has explained why. A remote-code execution vulnerability, CVE-2018-1000006, was found in Windows applications developed using …

  1. John Smith 19 Gold badge
    Unhappy

    So here's the thing when you use a development framwork.

    You inherit all its flaws/bugs as well.

    1) Which the framework support team have to fix.

    2) Which you have to roll out to any apps you wrote using it.

    3) Which then have to be rolled out to any end users of your app.

    Something tells me a shed load of people (who have no idea their apps were built with this) will remain vulnerable for years to come.

    But that applies to any other such framework as well.

  2. Christian Berger

    It's simply a terrible idea

    to use a full browser, one of the most complex software projects around, as a GUI framework. Seriously Windows 3.1 had a powerfull GUI framework and that fit onto a single floppy disk.

    Besides browsers were never made for interactive applications, that's why it's so hard to do that with them.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's simply a terrible idea

      But it's a low hanging fruit, you can reuse your cheap javascript developers, adding fancy graphics is easier, and nobody now really cares about the quality of applications.

      1. Christian Berger

        Re: It's simply a terrible idea

        "But it's a low hanging fruit, you can reuse your cheap javascript developers"

        Yes, but getting software written by people who have little idea what they are doing is actually a recepie for desaster. We have seen that in the 1990s. It was so bad that crashing computers were the norm in the PC and Mac world.

    2. Anonymous Coward
      Terminator

      Re: It's simply a terrible idea

      @Christian Berger: "It's simply a terrible idea to use a full browser, one of the most complex software projects around, as a GUI framework."

      Or to run native code in the browser. They also seem to be suffering from third-version-itis, as in they throw in everything they left out of the first clean version.

      Architectural Risk Analysis of Chromium

  3. Destroy All Monsters Silver badge
    Paris Hilton

    What is Electron?

    Is it like the GNU/Emacs of the JavaScript niche?

    1. Christian Berger

      Re: What is Electron?

      No it's like all those jokes about EMACS combined and amplified by a factor of 100. Essentially Electron is not just an operating system like EMACS, it's much more complex than an operating system, yet has very little actual functionality.

      1. Baudwalk

        Re: What is Electron?

        >>>yet has very little actual functionality.<<<

        Little functionality, you say?

        But with Atom, your syntax highlighting theme can easily make parts of your source (e.g. TODO comments) gently fade between different background colours.

        And all that essential functionality for only an installed size of 715MB!

        1. Christian Berger

          Re: What is Electron?

          Well true, I think it also allows your text editor to execute code from text files without your intervention. Kinda like the Canon Cat, but less competently made.

      2. Anonymous Coward
        Anonymous Coward

        Re: What is Electron?

        "No it's like all those jokes about EMACS combined"

        I got a flashback to old MAD Magazines in German. "Nein, sondern..."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like