Critical Electron vulnerability puts popular Windows apps at risk
© Shutterstock / GaudiLab
It’s been less than a month since the Spectre and Meltdown debacle but apparently, it’s time for a new flaw to dominate the news. The critical vulnerability lies in Electron — the team deployed a patch for the vulnerability and they ask you to update your apps to the latest stable version immediately.
“Nothing like starting the new year with a security flaw that affects more or less every computer system in the world,” we wrote in early January when news broke that Spectre and Meltdown were making anything with a chip in it vulnerable. Little did we know that a critical Electron vulnerability would put the likes of Skype and Slack at risk shortly thereafter.
Companies like Microsoft, Facebook, Slack, and Docker use Electron to create applications. Check out the complete list of apps created with this framework here.
As it turns out, Electron is vulnerable to a remote code execution vulnerability, which has been assigned the CVE identifier CVE-2018-1000006. According to the blog post announcing the vulnerability fix, “Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like
myapp://, are vulnerable. Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API.”
However, only Windows apps are impacted by the vulnerability; macOS and Linux are not vulnerable to this issue.
Signal does not register any custom protocol handlers and is not affected by this vulnerability.
— Signal (@signalapp) January 24, 2018
We’ve published new versions of Electron which include fixes for this vulnerability:
1.6.16. We urge all Electron developers to update their apps to the latest stable version immediately.
However, if you can’t upgrade your Electron version, the other solution would be to append
-- as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options. The double dash
-- signifies the end of command options, after which only positional parameters are accepted.
app.setAsDefaultProtocolClient(protocol, process.execPath, [ '--your-switches-here', '--' ])
See the app.setAsDefaultProtocolClient API for more details. The bottom line is that you need to upgrade immediately.
If you want to learn more about how to keep your Electron apps safe, check out their security tutorial.
As of version 2.0.0, Electron will strictly adhere to Semantic Versioning
Electron 2.0 might not be ready to see the light of day but we do know that as of this major version, Electron will strictly adhere to Semantic Versioning. Therefore, “you’ll see the major version bump more often, and it will usually be a major update to Chromium. Patch releases will also be more stable, as they will now only contain bug fixes with no new features,” according to the blog post announcing the news.
Since Electron’s semver ranges will now be more meaningful, the team recommends installing Electron using npm’s default
--save-dev flag, which will prefix your version with
^, keeping you safely up to date with minor and patch updates:
npm install --save-dev electron
If you want to read more about Semantic Versioning, see electronjs.org/docs/tutorial/electron-versioning.