A critical remote code execution vulnerability has been reported in Electron—a well-liked web application framework of which powers thousands of widely-used desktop applications including Skype, Signal, WordPress as well as also Slack—of which allows for remote code execution.
Electron can be an open-source framework of which can be based on Node.js as well as also Chromium Engine as well as also allows app developers to build cross-platform native desktop applications for Windows, macOS as well as also Linux, without knowledge of programming languages used for each platform.
The vulnerability, assigned as the number CVE-2018-1000006, affects only those apps of which run on Microsoft Windows as well as also register themselves as the default handler for a protocol like myapp://.
“Such apps can be affected regardless of how the protocol can be registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API,” Electron says in an advisory published Monday.
The Electron team has also confirmed of which applications designed for Apple’s macOS as well as also Linux are not vulnerable to This specific issue, as well as also neither those (including for Windows) of which do not register themselves as the default handler for a protocol like myapp://.
The Electron developers have already released two brand-new versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, as well as also 1.6.16 to address This specific critical vulnerability.
“If for some reason you are unable to upgrade your Electron type, you can append—as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium via parsing further options,” the company says.
End users can do nothing about This specific vulnerability; instead, developers using Electron JS framework have to upgrade their applications immediately to protect their user base.
Much details of the remote code execution vulnerability have not been disclosed yet, neither the advisory named any of the vulnerable apps (of which make themselves the default protocol handler) for security reason.
We will update you as soon as any details about the flaw come out.