macOS and Linux are safe

Critical Electron vulnerability puts popular Windows apps at risk

Gabriela Motroc
Electron vulnerability

© Shutterstock / GaudiLab

It’s been less than a month since the Spectre and Meltdown debacle but apparently, it’s time for a new flaw to dominate the news. The critical vulnerability lies in Electron — the team deployed a patch for the vulnerability and they ask you to update your apps to the latest stable version immediately.

“Nothing like starting the new year with a security flaw that affects more or less every computer system in the world,” we wrote in early January when news broke that Spectre and Meltdown were making anything with a chip in it vulnerable. Little did we know that a critical Electron vulnerability would put the likes of Skype and Slack at risk shortly thereafter.

Electron (originally developed for GitHub’s Atom editor) is an open source framework for creating native applications with web technologies like JavaScript, HTML, and CSS. It uses Chromium and Node.js so you can build your app with HTML, CSS, and JavaScript.

Companies like Microsoft, Facebook, Slack, and Docker use Electron to create applications. Check out the complete list of apps created with this framework here

SEE ALSO: Spectre and Meltdown make anything with chip in it vulnerable, but Raspberry Pi is safe

As it turns out, Electron is vulnerable to a remote code execution vulnerability, which has been assigned the CVE identifier CVE-2018-1000006. According to the blog post announcing the vulnerability fix, “Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable. Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API.”

However, only Windows apps are impacted by the vulnerability; macOS and Linux are not vulnerable to this issue.

We’ve published new versions of Electron which include fixes for this vulnerability: 1.8.2-beta.41.7.11, and 1.6.16We urge all Electron developers to update their apps to the latest stable version immediately.

However, if you can’t upgrade your Electron version, the other solution would be to append -- as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options. The double dash -- signifies the end of command options, after which only positional parameters are accepted.

app.setAsDefaultProtocolClient(protocol, process.execPath, [

See the app.setAsDefaultProtocolClient API for more details. The bottom line is that you need to upgrade immediately.

If you want to learn more about how to keep your Electron apps safe, check out their security tutorial.

As of version 2.0.0, Electron will strictly adhere to Semantic Versioning

Electron 2.0 might not be ready to see the light of day but we do know that as of this major version, Electron will strictly adhere to Semantic Versioning. Therefore, “you’ll see the major version bump more often, and it will usually be a major update to Chromium. Patch releases will also be more stable, as they will now only contain bug fixes with no new features,” according to the blog post announcing the news.

Since Electron’s semver ranges will now be more meaningful, the team recommends installing Electron using npm’s default --save-dev flag, which will prefix your version with ^, keeping you safely up to date with minor and patch updates:

npm install --save-dev electron

If you want to read more about Semantic Versioning, see

Gabriela Motroc
Gabriela Motroc was editor of and JAX Magazine. Before working at Software & Support Media Group, she studied International Communication Management at the Hague University of Applied Sciences.

Inline Feedbacks
View all comments