Users of the Signal encryption application for Windows and Linux need to patch their software as soon as possible. According to an article in Hacker News, a security researcher in Argentina discovered a bug in the end-to-end encryption software that allows bad actors to inject malicious code into a message and have it execute on the target machine without action by the recipient.
For those with an interest in software code terminology, here is how the researcher describes the bug:
“the issue appears to be a remote code execution vulnerability in Signal or at least something very close to persistent cross-site scripting (XSS) which eventually could allow attackers to inject malicious code onto targeted Windows and Linux systems.”
The details of the bug have not been fully revealed yet. This can be a good thing because premature release of how an exploit works may lead to the bad actors moving to take advantage of it before a patch is created and distributed. We’ve talked about this practice in previous posts and consider it smart not to release full details of the flaw until the fix is ready. But there is a limit. The flaws discovered in Intel hardware were known for months before anything was said, leaving millions of users vulnerable. That is far too long to wait.
Let’s give credit to the developers of the Signal app. They released a patch within hours of getting the information from the security consultant. Be sure to download and install the fix contained in stable release version 1.10.1 and pre-release version 1.11.0-beta.3.
Users of the application should remain alert for more updates because it is not known if all the vulnerabilities have been patched. Signal runs on the Electron web application framework and it is not clear if related bugs exist in that software. In addition to Signal, Skype, WordPress, and Slack use the Electron framework, creating possible risks for those users.
The primary concern in any encryption program is having the encryption keys stolen. Once this happens, the bad actors can read every message sent between two users. CRIP.TO solves this vulnerability with its unique hardware/software solution. By storing encryption keys in hardware, CRIP.TO Black, they are virtually impervious to theft. Protected by proprietary code, they are inaccessible to outside programs and attacks. If the Black is stolen, it is designed to resist cloning leaving the thieves with an attractive, but useless, box.
Find out more about the CRIP.TO solution and check out our ICO, pre-sale beginning May 17, 2018! Be part of the revolution in secure communications with our solutions and stack of services. We are dedicated to giving you the freedom to communicate fearlessly.