A flaw in a very popular software-building framework may affect a large number of popular desktop apps from Microsoft (Skype, Visual Studio Code), Brave (browser), GitHub (Atom Editor), Signal, Slack, Basecamp, WordPress.com, Twitch, Ghost, and others.
The flaw affects
Electron, a software framework created by the GitHub team to aid in the development of the Atom source code editor.
Since its creation in 2013, the framework became insanely popular because it allowed app developers to create cross-OS applications using basic web technologies such as JavaScript (Node.js), HTML, and CSS.
Because of this, Electron has been used by a huge number of products, even for heavy-duty apps such as
encrypted instant messaging powerhouse Signal, Microsoft's revamped Skype client, and all sorts of desktop companion apps for services such as Twitch, Slack, Basecamp, and WordPress.com.
Some Electron-based apps vulnerable to severe RCE bug
On Monday, the Electron team
said it patched a remote code execution vulnerability in the Electron framework. The vulnerability affects only Windows apps, not apps for Mac or Linux.
Electron devs said Electron apps that register themselves as the default app for handling custom protocol formats such as myapp:// are vulnerable and will allow an attacker to execute malicious code on affected systems remotely.
The flaw, which resides in the Electron framework's app.setAsDefaultProtocolClient API was patched on Monday when the Electron team released versions 1.8.2-beta.4, 1.7.11, and 1.6.16 of the software-building framework.
Developers also included a quick workaround for app developers who cannot update their apps to the new Electron framework code just yet.
The workaround is a temporary fix to prevent attackers from exploiting the flaw, but experts expect attackers to find a way around it pretty soon.
