Electron is a node.js and Chromium framework that lets developers use Web technologies (JavaScript, HTML and CSS) to build desktop apps. It’s widely-used: Skype, Slack, Signal, a Basecamp implementation and a desktop WordPress app all count themselves as adopters.
Slack users should update to version 3.0.3 or better, and the latest version of Skype for Windows is protected, Microsoft told Cyberscoop.
Electron has only published limited details of CVE-2018-1000006, but it affects Windows applications that use custom protocol handlers in the framework.
Here’s what the advisory has to say:
“Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.
“Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API.
A ray of sunshine to close: “macOS and Linux are not vulnerable to this issue”, Electron’s developers said.
Source: Skype, Signal, Slack, other apps inherit Electron vuln
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft