Skype, Signal, Slack, GitHub Desktop, Twitch, WordPress.com and other desktop apps are vulnerable to remote code execution.
It is expected that 460 cross-platform desktop applications use Electron, but only a few were affected by the bug — macOS, and Linux not vulnerable.
According to Electron, these applications are vulnerable regardless of how the protocol is registered (using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API).
The vulnerability was addressed with the release of electron v1.8.2-beta.4, electron v1.7.11, and electron v1.6.16. All three releases are available for download on GitHub.
“If for some reason you are unable to upgrade your Electron version, you can append “–“ as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options. The double dash “–“ signifies the end of command options, after which only positional parameters are accepted,” Electron explains.
Electron developers are advised to update their software to the latest stable versions as soon as possible.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.