'

Electron critical vulnerability strikes app developers

The dangerous bug allows attackers to remotely execute code through the popular app framework.

crednopsec.png
NopSec

A critical vulnerability affecting Electron desktop apps has been disclosed.

Electron is a node.js, V8, and Chromium framework created for the development of cross-platform desktop apps with JavaScript, HTML, and CSS.

Compatible with Mac, Linux, and Windows operating systems, the recently-discovered bug impacts Windows alone.

The critical vulnerability affects Electron apps which use custom protocol handlers. Assigned the identifier CVE-2018-1000006, the vulnerability is present in Electron apps which register themselves as the default handler for a protocol, such as myapp://.

Despite how the protocol is registered -- whether with native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API, apps may still be vulnerable to compromise.

If exploited, the vulnerability permits attackers to remotely execute code, potentially leading to app hijacking and data loss.

The Electron framework is popular and widely used by a range of desktop app services. Skype, Signal, Slack, Shopify, and Surf are among the users, but the developer's use of Electron's protocols define whether or not these apps are vulnerable to the flaw.

The security advisory has not revealed how many adopter apps use the default protocol handler, and so it is not possible to say how many apps or users have been affected.

See also: NjRat secures top spot as most active network malware in 2017

However, speaking to Cyberscoop, Microsoft confirmed the newest version of Skype mitigates the vulnerability, and so users with an up-to-date version of the VoIP software will not be at risk.

Electron has updated the framework to patch the vulnerability and urges developers to update immediately.

If an upgrade is not possible, developers can append "--" as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options and the bug from being triggered.

Previous and related coverage