[SingCERT] Technical Advisory on Electron Framework Critical Protocol Handler Vulnerability

Published on Friday, 26 January 2018 15:38

Background

The Electron framework is a popular and widely used development cross-platform for creating desktop applications such as Skype, Slack, Signal, Shopify, Discord, Github, WordPress and Twitch.

On 22nd January 2018, Electron disclosed the critical vulnerability CVE-2018-1000006 present in the Electron framework which could possibly cause all Windows applications developed using that platform to be vulnerable to Remote Code Execution (RCE).

Affected Operating Systems & Software

There are more than 460 applications using the Electron framework. For the list of potentially affected applications, please refer to https://electronjs.org/apps. Applications that are designed to run on Microsoft Windows that register themselves as the default handler for a protocol like "myapp://" are vulnerable and can only be verified by the application developers.

Impact

If a victim has been affected, the attacker will be able to remotely execute code which could potentially lead to app hijacking and data loss. Popular messaging applications developed under the Electron framework could be exploited for malicious activities.

Recommendations

System Administrators and End Users
SingCERT recommends to update the affected software to the latest versions as soon as there are available updates from the developers.

Application Developers
All Electron developers are advised to upgrade their Electron versions to the latest versions which include fixes for the vulnerability.


If for some reason the Electron version cannot be updated, developers can do a temporary fix by appending "--" as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options.

Example

- app.setAsDefaultProtocolClient(protocol, process.execPath, [
 '--your-switches-here',
 '--'
])


References

https://electronjs.org/blog/protocol-handler-fix

https://threatpost.com/skype-slack-and-other-popular-windows-apps-vulnerable-to-critical-framework-bug/129655/

https://www.bleepingcomputer.com/news/security/software-framework-flaw-affects-apps-from-skype-signal-slack-twitch-others/