Forum Discussion

Andrew Matthews's avatar
Andrew Matthews
Iron Contributor
Jun 27, 2019
Solved

Teams Updater Vulnerability

There are reports circulating that the Teams auto-update process suffers from the same unsigned code execution as other application built with Electron. Running the Update.exe processStart wit...
teams
update
  • John Rea's avatar
    John Rea
    Nov 14, 2019

    This particular squirrel vulnerability was fixed in Teams version 1.2.00.21068.

    Thanks!
    John

VasilMichev's avatar
VasilMichev
MVP
Jun 27, 2019

The Microsoft folks are aware of this already, and with them "owning" Electron now it shouldn't take a lot of time to patch. The more interesting question here is why was this allowed to happen in the first place, considering security is on top of their SDL list. Guess we can always blame it on the open-source model, but whoever decided to use Electron should have put it through the SDL list to begin with...

Andrew Matthews's avatar
Andrew Matthews
Iron Contributor
Jun 27, 2019

I have met some of the Teams Dev team at conference. They seem very well meaning and want to build a great product but I get the sense that there is a lack of appreciation for enterprise and security. That shows in the product.

 

Unfortunately the Electron / Squirrel updater issues are not confined to Teams. Slack and a few other widely used products have the same issues.

 

Also interesting to note that Electron have deprecated the use of Squirrel on Windows. 

Resources