Electron App Vulnerable to Recode Code Execution Vulnerability
Electron, an open source web application platform for creating cross-platform applications, has reported a critical vulnerability that affects Windows users. The remote code execution vulnerability affects several popular apps, including Skype, Slack, and Signal.
“ A remote code execution vulnerability has been discovered, affecting Electron apps that use custom protocol handlers. This vulnerability has been assigned the CVE identifier CVE-2018-1000006,” wrote Electron in a blog post.
The vulnerability affects every Electron app that runs on Windows and registers as the default handler for a protocol, like myapp://.
According to Electron, “Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API.”
Electron has released a new version of the framework that fixes the vulnerability. If you work on Windows and are using Electron to build your apps, please update to the latest version immediately. Linux and MacOS users are not affected by the vulnerability.