Electron is an open-source framework that is based on Node.js together with Chromium Engine together with allows app developers to create cross-platform native desktop applications for Windows, macOS together with Linux, without cognition of programming languages used for each platform.
The vulnerability, assigned equally the number CVE-2018-1000006, affects alone those apps that run on Microsoft Windows together with register themselves equally the default handler for a protocol similar myapp://.
"Such apps tin forcefulness out last affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API," Electron says inward an advisory published Monday.The Electron squad has besides confirmed that applications designed for Apple's macOS together with Linux are non vulnerable to this issue, together with neither those (including for Windows) that create non register themselves equally the default handler for a protocol similar myapp://.
The Electron developers convey already released 2 novel versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, together with 1.6.16 to address this critical vulnerability.
"If for to a greater extent than or less argue you lot are unable to upgrade your Electron version, you lot tin forcefulness out append—as the final declaration when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing farther options," the fellowship says.
End users tin forcefulness out create nada nigh this vulnerability; instead, developers using Electron JS framework convey to upgrade their applications forthwith to protect their user base.
Much details of the remote code execution vulnerability convey non been disclosed yet, neither the advisory named whatever of the vulnerable apps (that brand themselves the default protocol handler) for safety reason.
We volition update you lot equally before long equally whatever details nigh the flaw come upwardly out.
