Security

Skype, Slack, other apps inherit Electron vuln

Devs, check your protocol handling, patch if necessary

By Richard Chirgwin

7 SHARE

Updated If you've built a Windows application on Electron, check to see if it's subject to a just-announced remote code execution vulnerability.

Electron is a node.js and Chromium framework that lets developers use Web technologies (JavaScript, HTML and CSS) to build desktop apps. It's widely-used: Skype, Slack, Signal, a Basecamp implementation and a desktop Wordpress app all count themselves as adopters.

Slack users should update to version 3.0.3 or better, and the latest version of Skype for Windows is protected, Microsoft told Cyberscoop.

Electron has only published limited details of CVE-2018-1000006, but it affects Windows applications that use custom protocol handlers in the framework.

Here's what the advisory has to say:

“Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

“Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API.

A ray of sunshine to close: “macOS and Linux are not vulnerable to this issue”, Electron's developers said.

The advisory doesn't give any indication how many apps make themselves the default protocol handler.

Electron has pushed out two patched versions: 1.8.2-beta.4, 1.7.11, and 1.6.16, and: “If for some reason you are unable to upgrade your Electron version, you can append -- as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options.” ®

Updated to add

Signal reckons it's not affected:

Sign up to our NewsletterGet IT in your inbox daily

7 Comments

More from The Register

Using Microsoft's Dynamics 365 Finance and Operations? Using Skype? Not for long!

Upcoming update could bork on-prem logins, warns Redmond

Microsoft takes a pruning axe to Skype's forest of features

Say farewell to Highlights ... if you even noticed it was there

Microsoft gets ready to kill Skype Classic once again: 'This time we mean it'

Remember remember the first of November

Microsoft dropkicks Cortana with Skype functionality on Alexa

Plus: Cloud file-sharing on desktop and mobile clients

Guys, you need to sit down and have a chat: Skype rolls out SMS a week after Microsoft

Updated Skype also does MMS. Your Phone also does photos. Neither talks to iOS

Can't unlock an Android phone? No problem, just take a Skype call: App allows passcode bypass

Neat trick for spying spouses, bad bosses, other miscreants with hands on your mobe. A fix is available

Still using Skype? Good news! After HOURS of meetings, Microsoft reckons it knows when you're Not Active

Plus: New passive aggressive 'Quiet Mode'

Skype for Biz users: Go watch nature vids. Microsoft wants you to get good at migration

New roadmap for Teams does everything but name Skype's death date

Whatchu got for us this week, Microsoft? Skype, Powerpoint tweaks and – oh – another foldable

Roundup Gaps continue to close in MS's messaging platform as fanbois dream of new devices

That terrifying 'unfixable' Microsoft Skype security flaw: THE TRUTH

Oh yeah, we patched that in October, Windows giant yawns