Popular Apps Like Skype and Slack Potentially Vulnerable to a Framework Security Flaw
While it’s compatible with Windows, Mac, and Linux, the flaw only appears to be affecting Windows. Since its creation in 2013 by the GitHub team, the framework has become extremely popular, enabling app developers to create cross-platform applications. The list of apps using Electron include (doesn’t mean they are vulnerable):
- Skype (latest version carries the security fix)
- Visual Studio Code
- GitHub (Atom Editor)
- WordPress.com and others
However, the vulnerability depends on how the developer has used the Electron protocol. Tracked as CVE-2018-1000006, the flaw is a remote code execution vulnerability that affects all the Electron apps using custom protocol handlers. Apps designed to run on Windows that register themselves as the default handler for a protocol, such as myapp:// are vulnerable. Using this vulnerability, attackers can remotely execute code, leading to app hijacking and potential data loss.
Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.
Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API.
macOS and Linux are not vulnerable to this issue.
This Protocol Handler vulnerability has been fixed with the new versions of Electron: 1.8.2-beta.4, 1.7.11, and 1.6.16. Developers said that app developers who cannot update their apps immediately can use this workaround for a temporary fix. Several developers have already included this fix, making it important for end users to update their apps at the earliest. Since the flaw only affects Windows, Microsoft has also updated Windows Defender to safeguard against this vulnerability.
Correction: an earlier version of this piece incorrectly mentioned Brave in the affected list of apps.