A remote code execution vulnerability was addressed in the Electron framework, which powers highly popular desktop applications, including Slack, Skype, Signal, GitHub Desktop, Twitch, WordPress.com, and others.
Created in 2013, the framework allows developers to use web technologies such as JavaScript, HTML, and CSS to develop native desktop applications. An open source project maintained by GitHub and an active community of contributors, Electron uses Chromium and Node.js and supports Windows, macOS, and Linux platforms.
There are over 460 cross-platform desktop applications using Electron, but only those that use custom protocol handlers are impacted by the vulnerability. Only applications built for Windows are affected by the bug. macOS and Linux not vulnerable.
Tracked as CVE-2018-1000006, the flaw impacts Electron applications for Windows that register themselves as the default handler for a protocol, like myapp://.
According to Electron, these applications are vulnerable regardless of how the protocol is registered (using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API).
The vulnerability was addressed with the release of electron v1.8.2-beta.4, electron v1.7.11, and electron v1.6.16. All three releases are available for download on GitHub.
“If for some reason you are unable to upgrade your Electron version, you can append “–“ as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options. The double dash “–“ signifies the end of command options, after which only positional parameters are accepted,” Electron explains.
Although only Windows applications that register themselves as handlers are affected by the remote code vulnerability, all Electron developers are advised to update their software to the latest stable version as soon as possible.
Related: Android Development Tools Riddled with Nasty Vulnerabilities
More from Ionut Arghire
- Google Leads $16 Million Investment in Dope.security
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- CISA, NSA Issue Guidance for IAM Administrators
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
- ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
