Security

Skype, Slack, other apps inherit Electron vuln

Devs, check your protocol handling, patch if necessary

By Richard Chirgwin

7 SHARE

Updated If you've built a Windows application on Electron, check to see if it's subject to a just-announced remote code execution vulnerability.

Electron is a node.js and Chromium framework that lets developers use Web technologies (JavaScript, HTML and CSS) to build desktop apps. It's widely-used: Skype, Slack, Signal, a Basecamp implementation and a desktop Wordpress app all count themselves as adopters.

Slack users should update to version 3.0.3 or better, and the latest version of Skype for Windows is protected, Microsoft told Cyberscoop.

Electron has only published limited details of CVE-2018-1000006, but it affects Windows applications that use custom protocol handlers in the framework.

Here's what the advisory has to say:

“Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

“Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API.

A ray of sunshine to close: “macOS and Linux are not vulnerable to this issue”, Electron's developers said.

The advisory doesn't give any indication how many apps make themselves the default protocol handler.

Electron has pushed out two patched versions: 1.8.2-beta.4, 1.7.11, and 1.6.16, and: “If for some reason you are unable to upgrade your Electron version, you can append -- as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options.” ®

Updated to add

Signal reckons it's not affected:

Sign up to our NewsletterGet IT in your inbox daily

7 Comments

More from The Register

They forked this one up: Microsoft modifies open-source code, blows hole in Windows Defender

Rar! That's a scary bug

I got 257 problems, and they're all open source: Report shines light on Wild West of software

It's like a jungle sometimes, it makes me wonder how I keep from going under

Open source community crams itself into big tent

Can't we just get along? At a sunny California inn with hors d'oeuvres, most definitely

Open Source Security hit with bill for defamation claim

Judge okays $260K in defense costs to Bruce Perens and lawyers under anti-SLAPP

Google's PHP API client has XSS vulnerability

Patch promised

You're doing open source wrong, Microsoft tsk-tsk-tsks at Google: Chrome security fixes made public too early

Redmond wags its finger

Open source Elastic analytics snaps into Google's Cloud Platform

"Openness a driving force" says Google

Open Source MANO Release FOUR lands

Smaller feet, more monitoring, better interoperability

Finally: Historic Eudora email code goes open source

'Member that innocent, pre-Zuckerberg time?

Apple unleashes FoundationDB as an open source project

Secretive company talks up the need for open community