google-site-verification: google30a059f9a075f398.html

Critical Flaw Hits Popular Windows Apps Built With Electron JS Framework

CyberWisdom Safe Harbor Commentary:

Thehackernews.com reveals an interesting find that Electron, a popular web application framework, has a serious remote code execution vulnerability report that supports thousands of widely used desktop applications, including Skype, Signal, WordPress, and Slack, allowing remote code execution.

Electron, an open source framework based on the Node.js and Chromium engines, allows application developers to build cross-platform, native desktop applications for Windows, MacOS, and Linux without having to know the programming language used by each platform.

Vulnerabilities assigned as CVE-2018-1000006 numbers affect only the applications that run on Microsoft Windows and register themselves as the default handler for protocols such as myapp: //.
In an advisory note Monday, Electron said: “These applications suffer regardless of how the protocol is registered, such as using native code, the Windows registry, or the Electron’s app.setAsDefaultProtocolClient API.

The Electron team also confirmed that applications designed for Apple’s macOS and Linux are not vulnerable to this issue, nor include applications (including Windows) that are not registered as the default handler for the myapp: // protocol.
Electron developers have released two new framework versions, 1.8.2-beta.4, 1.7.11 and 1.6.16, to address this serious flaw.

The company said: “If for some reason you can not upgrade your version of Electron, you can append as the last parameter when calling app.setAsDefaultProtocolClient, which will prevent Chromium from parsing more options.

End users can do nothing about this vulnerability; instead, developers using the Electron JS framework must immediately upgrade their applications to protect their user base.
Much of the details of a remote code execution vulnerability have not been made public for security reasons, without any loopholes in the application (making itself the default protocol handler).

Read me…

A critical remote code execution vulnerability has been reported in Electron—a popular web application framework that powers thousands of widely-used desktop applications including Skype, Signal, WordPress and Slack—that allows for remote code execution. Electron is an open-source framework that is based on Node.js and Chromium Engine and allows app developers to build cross-platform native Engaging post, Read More…

thumbnail courtesy of thehackernews.com

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post » Critical Flaw Hits Popular Windows Apps Built With Electron JS Framework