Skype, Signal, Slack, GitHub Desktop, Twitch, WordPress.com and other desktop apps are vulnerable to remote code execution.
Electron is a framework created in 2013 that uses web technologies such as JavaScript, HTML, and CSS to develop native desktop applications. It is an open source project maintained by GitHub and an active community of contributors. This framework uses Chromium and Node.js and supports Windows, macOS and Linux platforms.
It is expected that 460 cross-platform desktop applications use Electron, but only a few were affected by the bug — macOS, and Linux not vulnerable.
According to Electron, these applications are vulnerable regardless of how the protocol is registered (using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API).
The vulnerability was addressed with the release of electron v1.8.2-beta.4, electron v1.7.11, and electron v1.6.16. All three releases are available for download on GitHub.
“If for some reason you are unable to upgrade your Electron version, you can append “–“ as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options. The double dash “–“ signifies the end of command options, after which only positional parameters are accepted,” Electron explains.
Electron developers are advised to update their software to the latest stable versions as soon as possible.