Skype, Slack, other apps inherit Electron vuln
Devs, check your protocol handling, patch if necessary
Updated If you've built a Windows application on Electron, check to see if it's subject to a just-announced remote code execution vulnerability.
Slack users should update to version 3.0.3 or better, and the latest version of Skype for Windows is protected, Microsoft told Cyberscoop.
Electron has only published limited details of CVE-2018-1000006, but it affects Windows applications that use custom protocol handlers in the framework.
Here's what the advisory has to say:
“Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.
“Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API.
A ray of sunshine to close: “macOS and Linux are not vulnerable to this issue”, Electron's developers said.
The advisory doesn't give any indication how many apps make themselves the default protocol handler.
Electron has pushed out two patched versions: 1.8.2-beta.4, 1.7.11, and 1.6.16, and: “If for some reason you are unable to upgrade your Electron version, you can append -- as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options.” ®
Updated to add
Signal reckons it's not affected:
Signal does not register any custom protocol handlers and is not affected by this vulnerability.— Signal (@signalapp) January 24, 2018