Zulip Desktop 5.0.0 security release

Tim Abbott Apr 1, 2020 • 3 min read

Today we released Zulip Desktop 5.0.0, fixing multiple critical security issues as well as several other important issues:

CVE-2020-10856: Remote code execution due to missing context isolation.
CVE-2020-10857: Remote code execution due to unsafe use of shell.openExternal and shell.openItem.
Downloaded files will no longer be opened directly in-app; the previous option to show downloaded files in the file manager is now always on.
CVE-2020-10858: Webcam and microphone recording due to missing permission request handler.
Electron and other key dependencies are upgraded to the latest upstream releases. In addition to fixing security issues in these important dependencies, this improves performance and fixes browser bugs, as it means the app is using a much newer version of the underlying Chromium browser.
Several other security configuration and hardening improvements.
Deprecation: This will be our last release where we provide downloads for 32-bit versions of Linux. We’ll continue to support 64-bit Linux, as well as Windows and macOS.

Huge thanks to Matt Austin for responsibly reporting CVE-2020-10856, CVE-2020-10857, and CVE-2020-10858, and helping validate the fixes.

I’m sad to say that the root cause of this bundle of security issues was that our security team was not properly involved in the development of the Zulip desktop app. With this release, our security team has completed an initial audit of the desktop app’s security practices and fixed the security issues identified by that audit.

I’d like to take this opportunity to apologize to the community for the Zulip desktop app development process that led to these issues. While security bugs are inevitable in software development, we consider these particular issues to be unacceptable and are taking major steps to ensure the desktop app is managed better in the future.

Upgrading

All installations should upgrade to this latest release as soon as possible. Because the desktop app updates automatically, many users have already have upgraded to this new version.

However, Zulip Desktop 2.3.82, released in late 2018, had buggy auto-update functionality and will not auto-update (while claiming it’s up-to-date), and some users are still using that release. Zulip versions 2.1.3 and later block access from Zulip Desktop 2.3.82, with an error page asking the user to download a current release from https://zulipchat.com/apps. We’re releasing Zulip 2.1.3 in the next 24 hours.

It will also display a red banner at the top of the page to anyone using any Zulip Desktop release older than this new 5.0.0 release.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect:

Join chat.zulip.org, the Zulip community Zulip server. Several streams have user feedback and discussion as their primary purpose.
Follow us on Twitter, or join our announcement mailing list.