jwzSep 26, 2023

From this thread:
https://infosec.exchange/@TomSellers/111126339492371432
I found that these apps installed on my Mac are still vulnerable to the WebP exploit:

Arduino IDE, Keybase, Slack, and AdGuard for Safari.

The first 3 I haven't launched in months, but... it certainly was A Choice that "AdGuard *FOR SAFARI*" contains an entire copy of "Chrome/100.0.4896.160" inside it.

Tom Sellers (@[email protected])

Roughly 2 weeks ago Google patched a critical vulnerability, CVE-2023-4863, that was being exploited in the wild. The broad impact of the root cause of the vuln and the fact that it will have a long tail of unpatched software has been poorly communicated. You can read more in @dangoodin 's [excellent article on Ars Technica](https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/). As pointed out in the article above, Electron is based on Chromium and is impacted. Electron is bundled in a ton of apps that people might overlook. I threw together the following shell command to help macOS audit which versions of Electron apps are installed. ``` find /Applications -type f -name "*Electron Framework*" -exec \ sh -c "echo \"{}\" && strings \"{}\" | grep '^Chrome/[0-9.]* Electron/[0-9]' | head -n1 && echo " \; ``` When run, you should see something similar to the following: ``` /Applications/Visual Studio Code.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework Chrome/114.0.5735.289 Electron/25.8.1 /Applications/Slack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework Chrome/116.0.5845.188 Electron/26.2.1 ``` #Security #Electron #CVE20234863 #CVE-2023-4863

Infosec Exchange
Show threadjwzSep 26, 2023
So what ad blocker should I be using with Safari instead of AdGuard? Is Adblock Plus the only other game in town? They seem to be beg-ware now who have been co-opted into claiming that there is such a thing as an "acceptable ad".
Show threadSteven BlackSep 26, 2023

@jwz one option is to proactively block in a more foundational layer in your stack.

Example: my hosts files have nearly 23k stars, a decade-long track record, and is used by all those blockers.

https://github.com/StevenBlack/hosts

GitHub - StevenBlack/hosts: đŸ”’ Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.

đŸ”’ Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories. - StevenBlack/hosts

GitHub
Show threadjwzSep 26, 2023
@steveblack No fucking way
Show threadSteven BlackSep 26, 2023

@jwz Way!

Unless I misunderstood… if so, care to elaborate?

Show threadjwzSep 26, 2023
@steveblack That is the "just recompile your kernel" approach to ad blocking. Have fun with that. 100% not interested.
Show threadSteven Black

@jwz lol whatever you say.

I must say, though, this is Mos Def the first time I've ever heard a stated equivalency between

* "copying a plaintext file to a location used by 100% of online devices, including IOT devices, since the dawn of the internet"

...and...

* "recompiling your kernel" (your words)

Sep 26, 2023 at 7:21pmIvory for iOS
Show threadjwzSep 26, 2023
@steveblack \/\/