UPDATE
Hundreds of software applications built using the developer framework called Electron may be vulnerable to a remote code execution flaw, according to developers of the framework. Impacted are dozens of popular Windows applications such as Microsoft’s Skype for Windows and Slack.
Earlier this week, GitHub’s Electron team released two patched versions of the Electron framework (1.8.2-beta.4, 1.7.11, and 1.6.16) and also announced a workaround fix for the vulnerability (CVE-2018-1000006). Meanwhile, publishers of affected applications, such as Skype for Windows and Slack, say they have also released updates to address the vulnerability.
Electron is a node.js, V8, and Chromium open-source framework popular with developers interested in using web technologies such as JavaScript, HTML and CSS to build desktop apps. The framework, formerly known as Atom Shell, is currently being developed by GitHub.
Electron said that “apps designed to run on Windows that that register themselves as the default handler for a protocol, like myapp://, are vulnerable,” according to a statement posted to GitHub’s Electron website. “Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API.”
The Electron website lists over 400 applications built using the framework. However, it’s unclear how many of those use the default Electron protocol handler which defines whether apps are vulnerable to the flaw. Open Whisper Systems, which also uses the Electron framework, confirmed to Threatpost its Signal secure messaging client is not impacted.
While the Electron framework is compatible with Mac, Linux, and Windows, the vulnerability only impacts Windows applications.
“This is potentially serious. There are several high profile messaging applications, including both Slack and Skype, that use the Electron.js framework. While we don’t know if they are specifically exposed to this vulnerability, the use of Electron.js in this sort of messaging app raises the possibility that it will be widely exploited to spread malware,” said Tim Jarrett senior director of security, Veracode.
He said that patching will require updating all affected applications and will force the application developers to update to the latest Electron patch. “This is the challenge with third-party components — software developers incorporating the component need to understand that there is an update and actually incorporate the update in their applications,” he said.
Derek Weeks, vice president and DevOps advocate at Sonatype, gave credit to the Electron team for acting fast and alerting the public to the problem and offering mitigation options.
“Recent high-profile breaches like the one at Equifax are serving as a wake-up call for all organizations, many of which rely on open-source and third-party frameworks, like Struts and Electron, as a foundational elements of their applications,” Weeks said.
According to Sonatype’s 2017 State of the Software Supply Chain report only 15.8 percent of 122,000 open-source projects studied remediated their vulnerabilities.
“Even when they did release secure updates, the average time to remediate those vulnerabilities was 233 days. Our reliance on open-source frameworks must not only prioritize their functionality, but also recognize the project’s track record of response to critical issues like security,” he said.
Along with patches offered by Electron, it has offered a workaround fix. “If for some reason you are unable to upgrade your Electron version, you can append — as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options,” according to the Electron team.
(This article was updated on 1/24/2018 at 4:25 pm ET to include confirmation that Open Whisper Systems Signal messaging app is not impacted by the Electron flaw. In a previous version of this article Threatpost incorrectly stated that Signal was affected.)