Critical Flaw Hits Popular Windows Apps Built With Electron JS Framework
A critical remote code execution vulnerability has been reported in Electron—a popular web application framework that powers thousands of widely-used desktop applications as well as Skype, Signal, Wordpress and Slack—that permits for remote code execution.
Electron is an open-source framework that's based on Node.js and Chromium Engine and allow app developers to build cross-platform native desktop applications for Windows, macOS and UNIX operating system, without knowledge of programming languages used for each platform.
The vulnerability, assigned as the number CVE-2018-1000006, affects only those apps that run on Microsoft Windows and register themselves as the default handler for a protocol like myapp://.
The Electron team has conjointly confirmed that applications designed for Apple's macOS and UNIX operating system don't seem to be liable to this issue, and neither those (including for Windows) that don't register themselves because the default handler for a protocol like myapp://.
The Electron developers have already released 2 new versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, and 1.6.16 to handle this crucial vulnerability.
End users will do nothing concerning this vulnerability; instead, developers victimization Electron JS framework need to upgrade their applications straightaway to guard their user base.
Much details of the remote code execution vulnerability haven't been disclosed yet, neither the advisory named any of the vulnerable apps (that build themselves the default protocol handler) for security reason.