GitHub Electron versions 1.8.2-beta.3 and previous versions, 1.7.10 and previous versions, 1.6.15 and previous versions has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
atom electron 1.8.2 |
||
atom electron |
January's fix for software toolkit had blacklist flaw, now fixed
In an update last week, the developers of Electron – the toolkit used to craft widely used apps from Skype and Slack to Atom – shipped a patch to their January patch, and now, an infosec researcher has explained why. A remote-code execution vulnerability, CVE-2018-1000006, was found in Windows applications developed using Electron that registered custom protocol handlers. That security hole can be exploited to run arbitrary commands on a Windows PC by making a victim click on a maliciously c...
Devs, check your protocol handling, patch if necessary
Updated If you've built a Windows application on Electron, check to see if it's subject to a just-announced remote code execution vulnerability. Electron is a node.js and Chromium framework that lets developers use Web technologies (JavaScript, HTML and CSS) to build desktop apps. It's widely-used: Skype, Slack, Signal, a Basecamp implementation and a desktop Wordpress app all count themselves as adopters. Slack users should update to version 3.0.3 or better, and the latest version of Skype for ...