Electron is an open-source framework that is based on Node.js together with Chromium Engine together with allows app developers to construct cross-platform native desktop applications for Windows, macOS together with Linux, without noesis of programming languages used for each platform.
The vulnerability, assigned every bit the number CVE-2018-1000006, affects solely those apps that run on Microsoft Windows together with register themselves every bit the default handler for a protocol similar myapp://.
"Such apps tin endure affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API," Electron says inwards an advisory published Monday.The Electron squad has likewise confirmed that applications designed for Apple's macOS together with Linux are non vulnerable to this issue, together with neither those (including for Windows) that create non register themselves every bit the default handler for a protocol similar myapp://.
The Electron developers accept already released 2 novel versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, together with 1.6.16 to address this critical vulnerability.
"If for to a greater extent than or less argue yous are unable to upgrade your Electron version, yous tin append—as the final declaration when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing farther options," the fellowship says.
End users tin create aught nearly this vulnerability; instead, developers using Electron JS framework accept to upgrade their applications straightaway to protect their user base.
Much details of the remote code execution vulnerability accept non been disclosed yet, neither the advisory named whatsoever of the vulnerable apps (that brand themselves the default protocol handler) for safety reason.
We volition update yous every bit shortly every bit whatsoever details nearly the flaw come upward out.
