Remote Code Execution Vulnerability in Electron Apps

Here is what Developers and Users need to know about Electron’s latest security issue.

A glowing electron in front of a gloomy sky with random binary numbers is never a good sign … Original photograph by code404 (CC0)

On Monday, the Electron team published security advisory CVE-2018–1000006 describing an arbitrary code execution vulnerability in Electron. Arbitary code executions — or remote code executions (RCE) when performed through a network — are the most severe class of software vulnerabilities. They allow an attacker to run any code on the victim’s machine.

Am I affected as a User?

The current report affects Electron applications on Windows that use custom protocols. Custom protocols allow applications to handle links from web pages or other applications. Links on Apple’s App Store web page, for example, use URLs beginning with itmss:// so that they can be opened directly by iTunes.

If an Electron application uses custom protocols on Windows and has not been updated since Monday, it is vulnerable. You can verify which applications use custom protocols in the Windows Settings. Disable protocols for applications that have not yet been updated with a security patch or uninstall them.

Am I affected as a Developer?

If you have published an application with any version of Electron before 1.8.2-beta.4, 1.7.11, or 1.6.16 and you are using the app.setAsDefaultProtocolClient API on Windows, your application is vulnerable. You need to take immediate action.

What if I am affected?

1. Follow the mitigation advice put out by the Electron team
2. Inform your users about the vulnerability and the severity of it.
3. Release an updated version of your application built with an updated version of Electron.

How can I secure my application in the future?

Electron is a convenient way to create desktop applications with familiar web frameworks. Unfortunately, this ease-of-use comes at the cost of many millions of lines of code from the Chromium and Electron project — each one of them a potential security hazard. Remember: Source code is a liability, not an asset and using a vast software project like Electron in your application is a vast security liability.

There is no way to ensure your application is safe from future vulnerability discoveries in Electron. This is why you need to make sure to tick every point on the following checklist:

1. Make sure you follow the Electron team’s guide to creating secure Electron applications. Before you start worrying about vulnerabilities in Electron, make sure you are not adding own security pitfalls.
2. Subscribe to the Electron Release feed. Make sure to keep an eye out for for any releases with mentions of [SECURITY]
3. Enable auto-updates. Only with a functioning auto-update pipeline can you react quickly to known vulnerabilities. You can follow Electron’s auto-update guide. Alternatively, you can use a specialized service such as DBLSQD for Electron for managing your updates.