Security

Skype, Slack, other apps inherit Electron vuln

Devs, check your protocol handling, patch if necessary

By Richard Chirgwin

7 SHARE

Updated If you've built a Windows application on Electron, check to see if it's subject to a just-announced remote code execution vulnerability.

Electron is a node.js and Chromium framework that lets developers use Web technologies (JavaScript, HTML and CSS) to build desktop apps. It's widely-used: Skype, Slack, Signal, a Basecamp implementation and a desktop Wordpress app all count themselves as adopters.

Slack users should update to version 3.0.3 or better, and the latest version of Skype for Windows is protected, Microsoft told Cyberscoop.

Electron has only published limited details of CVE-2018-1000006, but it affects Windows applications that use custom protocol handlers in the framework.

Here's what the advisory has to say:

“Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

“Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API.

A ray of sunshine to close: “macOS and Linux are not vulnerable to this issue”, Electron's developers said.

The advisory doesn't give any indication how many apps make themselves the default protocol handler.

Electron has pushed out two patched versions: 1.8.2-beta.4, 1.7.11, and 1.6.16, and: “If for some reason you are unable to upgrade your Electron version, you can append -- as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options.” ®

Updated to add

Signal reckons it's not affected:

Sign up to our NewsletterGet IT in your inbox daily

7 Comments

More from The Register

Dearly beloved, we are gathered here today to mark the life of Slack for Windows Phone

Farewell, dear app, we hardly knew ye (which might have been the problem)

Hipster horror! Slack has gone TITSUP: Total inability to support user procrastination

Updated Work-avoidance tool avoids work

Farewell then, Slack: The grown-ups have arrived

Comment Rumours of email's death have been greatly exaggerated

Microsoft to slap Slack with Skype – reports

Cheaper than an acquisition, anyhow

Yakety-yak app HipChat whacked in Slack chat chaps' tech snatch pact

Slack swallows Atlassian's blueprints for biz apps – which now face the axe

Slack vs. Skype

Slack cuts ties to IRC and XMPP, cos they don't speak Emoji

Gateways to close on May 15th, leaving you almost ten whole weeks to rebuild integrations

Using Microsoft's Dynamics 365 Finance and Operations? Using Skype? Not for long!

Upcoming update could bork on-prem logins, warns Redmond

Ex-Intel exec Diane Bryant exits Google cloud

Could Chipzilla replace Brian with a Bryant?

Hipsterverse horror as Slack takes Halloween hiatus

Two-hour outage sees users forced to speak to each other