Skip to content
This repository has been archived by the owner on May 22, 2020. It is now read-only.

9.61.38.41
Compare
Choose a tag to compare
@HarsimranSingh HarsimranSingh released this 03 Jun 20:19
· 381 commits to develop since this release
runtime-v9.61.38.41
5e6c648

Notice: OpenFin 9 Security Patch | Zero-Day “Use-After-Free” Vulnerability

OpenFin has addressed the potential Zero-Day “Use-After-Free” vulnerability discovered and fixed by the Chrome team. The vulnerability impacts prior versions of Chromium which are included in prior versions of OpenFin. The fix can be consumed by upgrading your applications to 9.61.38.41

What do you need to do?

OF recommends upgrading your applications to use the most recent Stable release - OpenFin Runtime 9.61.38.41.
As recommended, always run with the Chromium Sandbox enabled.

Who may be potentially impacted?

Win7 32-bit machines

What is the vulnerability?

“Use-After-Free” exploits can be used to compromise a program/process and run arbitrary code. Processes running in the Chrome Security Sandbox have limited access to an end user's system.

A second vulnerability was discovered in Microsoft Windows allowing a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape.

When both vulnerabilities are exploited together, untrusted and web-delivered JavaScript can compromise the browser, escape the security sandbox, and access an end user's system unchecked.

The Chrome security team strongly believes the Windows’ vulnerability only exists on Windows 7. At this time, Windows 7 32-bit is the only environment where active exploitation of both the Chrome and Microsoft Windows vulnerabilities was observed.

Chrome Release Note

Chromium PR (Auth Required)

Google Security Blog

Dangling Pointer

Known Issues

  • Existing OpenFin deployments may experience some issues with cache migrating correctly, as a result of an OpenFin Runtime upgrade. These issues are resolved in OpenFin 9.61.38.40 and also require an OpenFin RVM 4.7. upgrade* - which will be available in Beta on Jan 14.
  • .NET Adapter implementations, using "browser like" navigation, may encounter blank screens
  • Connecting to a channel as a client from the same window in which the channel was created results in an error and overwrites the channel provider
  • Animating grouped windows is not supported
Assets 2
Loading