Unfortunately, as we often state in security posts, new threats are always being released and this week was no exception. Another important security vulnerability has been identified and it could pose a serious risk to businesses and their employees. This week's threat comes in the form of a locally installed desktop phone application.
This post discusses which app is having the issue, what you need to know and what you can do to protect yourself.
New Security Threat: 3CX Phone App for Desktop Computers
The new threat relates to desktop phone applications. In case this is something you have never used, a desktop phone app is a way to make and take phone calls using the microphone and speaker on the device without having a physical desktop phone.
Desktop phone apps have increased in popularity for several reasons, including that they are easy to configure and deploy to new users. Additionally, their monthly fees are often really low, or free, while physical phones can be expensive, easily costing several hundred dollars. Lastly, if a business switches phone plan carries, they are often required to replace all of the physical phones, or pay to have their existing phones reprogrammed which can be another big expense.
What you need to know
The application with the security vulnerability is called "Electron Windows App" and is used by 3CX. The following versions are vulnerable to this recent security threat:
- Versions 18.12.407 and 18.12.416, which shipped in update 7 and are likely to be flagged as a security threat by anti-malware software.
- Version 18.11.1213
- Version 18.12.402
- Version 18.12.407
- Version 18.12.416
What you can do
If you are running the Electron Windows App on your computer, check to see if the version you have is one of the affected versions.
- Open the Control Panel by searching for it and then click on "Programs and Features".
- The right-most column shows the version number of installed applications.
If you have a version that is not on the list, you do not need to do anything else. However, if you have one of the affected versions installed, remove the application until a security fix is released. If you do remove the application, you can use 3CX's PWA app until a security patch is released. This will allow you to continue to make and take phone calls from your computer until a better resolution occurs.
The main difference between Electron and PWA is that Electron requires the installation of a local executable while PWA is dependent on a web browser. This makes it quick and easy to begin using and protects your device from the Electron software vulnerability.
New security threats are constantly being exposed. Sometimes these threats are found in existing applications. Other times they are found because an update is released that inadvertently introduced the vulnerability. However the security threat is created or found, it is important to be aware of it, understand what you can do to protect yourself and take the appropriate action to reduce your risk. In this most recent case, this consists of checking the application version and possibly uninstalling the app until a security patch is released.
As always, being aware of current threats is one of the best ways to protect yourself!