Electron is an open-source framework that is based on Node.js as well as Chromium Engine as well as allows app developers to construct cross-platform native desktop applications for Windows, macOS as well as Linux, without cognition of programming languages used for each platform.
The vulnerability, assigned every bit the number CVE-2018-1000006, affects solely those apps that run on Microsoft Windows as well as register themselves every bit the default handler for a protocol similar myapp://.
"Such apps tin endure affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API," Electron says inwards an advisory published Monday.The Electron squad has every bit good confirmed that applications designed for Apple's macOS as well as Linux are non vulnerable to this issue, as well as neither those (including for Windows) that create non register themselves every bit the default handler for a protocol similar myapp://.
The Electron developers accept already released 2 novel versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, as well as 1.6.16 to address this critical vulnerability.
"If for about argue y'all are unable to upgrade your Electron version, y'all tin append—as the final declaration when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing farther options," the companionship says.
End users tin create null virtually this vulnerability; instead, developers using Electron JS framework accept to upgrade their applications at nowadays to protect their user base.
Much details of the remote code execution vulnerability accept non been disclosed yet, neither the advisory named whatever of the vulnerable apps (that brand themselves the default protocol handler) for safety reason.
We volition update y'all every bit presently every bit whatever details virtually the flaw come upwards out.
Share This :
comment 0 Comments
more_vert