Another severe bug has been discovered in Signal app for Windows and Linux

Cybersecurity researchers have discovered a severe vulnerability in the famous end-to-end encrypted Signal messaging app for Windows and Linux desktops which could allow remote attackers to execute malicious code on recipients system just by sending a message, without requiring any user interaction.
The vulnerability already has a proof-of-concept video, which demonstrates how a javascript payload sent over Signal, for the desktop app, can successfully be executed on the recipient’s system.

Good news is the technical details of the vulnerability have not been yet revealed. The vulnerability is caused by a remote code execution flaw in Signal or at least something very close to persistent cross-site scripting (XSS).
For now, we can only confirm the execution of javascript code. However we are tracking a corruption issue, and it’s very likely than the javascript execution could lead to native code execution.
We can confirm that this bug did not exist before and it was last introduced because the devs forgot why there was a regex there, to begin with.

At this moment, it is not clear if the primary vulnerability exists only in the source code of Signal or also in the famous Electron web application framework, the technology on which Signal desktop applications are based.
We said it before, and we are saying it now: anything can be hacked and almost every app has flaws. Remember that it is essential for every user and company to add extra measures of cybersecurity. Every user must use only the best cybersecurity solution like an antivirus for Windows or antivirus for Mac depending on which OS their device is running. Also, every company must go an extra step to obtain the best cybersecurity measure; this can be done by hiring a cybersecurity firm that will attack purpose the company’s network of revealing its most destructive and dangerous flaws.
This kind of deliberate attacks is done through specialized cybersecurity tests like penetration test and ethical hacking tests.

If the flaw affects Electron framework, it might be possible that other widely-used desktop applications like Skype, WordPress, and Slack are exploitable. Moreover, we are also worried that if this flaw allows remote hackers to steal secret encryption keys, it would be the worst nightmare for Signal users.
Open Whisper Systems has already fixed the issue by immediately releasing new versions of Signal app within a few hours after receiving the responsible vulnerability disclosure by the researcher.
The first vulnerability that triggers the code execution has been patched in Signal stable release version 1.10.1 and pre-release version 1.11.0-beta.3. Users are advised to update their Signal for desktop applications as soon as possible.
Because we want you to stay safe and secured in front of all vulnerabilities like this one, we recommend implementing a robust cybersecurity solution into your devices like an antivirus for Windows or antivirus for Mac depending of which OS are your machines running. We also suggested that every company must hire a specialized cybersecurity firm that will perform various tests like a penetration test and various ethical hacking tests on company’s network to reveal if any network flaws are present.
For companies that exist 100% online, we recommend the using of cyber-secured web hosting services.