![]() A Japanese security researcher has found a security issue in Zettlr and has reported this to JPCERT/CC (JPCERT’s Coordination Center), which in turn contacted me for a disclosure. The email came from the Japanese cybersecurity organisation JPCERT, one of the major agencies that monitors the security of software and works closely with the Japanese government in maintaining the safety of publicly available software products. On that same day, I received an email that alerted me that something else was going on. However, the whole situation is not as simple as that. The new Electron version 12.0.6, which fixed the above CVEs was released in the first week of May and I immediately updated the Electron version of Zettlr’s development branch to that one and knew that I need to update the current release of Zettlr 1.8 as well. And, since Zettlr is built on top of the Electron framework, Zettlr was also affected. Thus, the Electron framework was also affected by the above mentioned CVEs. For example, the Electron framework takes the Chromium browser in order to allow Electron apps to use web-content to display their user interface. Google Chrome is – in simple terms – the Chromium browser with custom elements (such as settings synchronisation and Google account management), wrapped and packaged to be released as Google Chrome.Ĭhromium is also being used as an engine to render web-content across many products. Chromium is being used by Google to build their Chrome browser. While you may not have heard of Chromium before, its importance to the software industry cannot be overstated: Chromium is an Open Source browser. In this regard, it is necessary to state the importance of bugs in Chromium. In short succession, a total number of eight CVE-numbers were being publicly released, all concerning the same issue:įollowing the public release of this issue, all affected developers began fixing their Chromium version. ![]() This security measure is called sandboxing and prevents code from some website to interact with your computer in any way. The issue was due to a fairly common bug in software (a heap buffer overflow) and allowed an attacker to circumvent the security measures of the browser that are supposed to make sure that no website can execute malicious code to access your computer. The V8-engine is the piece of Chromium that enables JavaScript-support for the browser. This security hole was located in the so-called V8-engine. In Q2 2021, the CVE-number ( Common Vulnerabilities and Exposures) CVE-2021-21222 was being assigned to publicly announce a security hole in the Chromium browser. As soon as you upgrade to Zettlr 1.8.9, you can safely re-enable the “Render iFrames” preference. In this case, immediately disable the option “Render iFrames” in your display preferences, then open the Markdown documents in question and double-check the code. Otherwise, ask yourself these questions: (a) Did I open a Markdown document that I received from someone else? (b) Did this document contain an iFrame-element, e.g., an embedded video? (c) Did I copy a video-embed code (or the embed-code for something else) from a lesser known site (not, e.g., the YouTube or Vimeo share button)? (d) Did any of these iFrames contain the srcdoc-attribute? If you can answer any of these questions with “Yes”, it might be that you have been affected. If you disabled the “Render iFrame” setting in the display preferences, you were definitely not affected. Was I affected? It is very likely that you were not affected by this security issue. But let us tackle the incident one step at a time. To be upfront with you: The second hotfix could’ve been avoided, so I take full responsibility for simply being negligent in this regard. In this postmortem, I will first lay out the timeline of the incident, explain what went wrong and why it went wrong, and close by indicating what steps I will take in the future in order to minimise this problem. All it required was a maliciously crafted Markdown document containing an insecure iFrame element. One week later, on May 13th, 2021, another hotfix – Zettlr 1.8.9 – has been released, addressing yet another security issue that allowed something similar, but with much less effort. There was a security hole that potentially allowed malicious actors to gain access to your computer using a specifically crafted HTML document. On Friday, May 7th, 2021, Zettlr 1.8.8 has been released containing a fix that addresses several CVEs within the Electron framework. This postmortem has been crossposted to. Postmortem: Zettlr’s first Security Incident
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |