On Monday, the Electron team published security advisory CVE-2018–1000006 describing an arbitrary code execution vulnerability in Electron. Arbitary code executions — or remote code executions (RCE) when performed through a network — are the most severe class of software vulnerabilities. They allow an attacker to run any code on the victim’s machine.
The current report affects Electron applications on Windows that use custom protocols. Custom protocols allow applications to handle links from web pages or other applications. Links on Apple’s App Store web page, for example, use URLs beginning with
itmss:// so that they can be opened directly by iTunes.
If an Electron application uses custom protocols on Windows and has not been updated since Monday, it is vulnerable. You can verify which applications use custom protocols in the Windows Settings. Disable protocols for applications that have not yet been updated with a security patch or uninstall them.
If you have published an application with any version of Electron before
1.6.16 and you are using the
app.setAsDefaultProtocolClient API on Windows, your application is vulnerable. You need to take immediate action.
Electron is a convenient way to create desktop applications with familiar web frameworks. Unfortunately, this ease-of-use comes at the cost of many millions of lines of code from the Chromium and Electron project — each one of them a potential security hazard. Remember: Source code is a liability, not an asset and using a vast software project like Electron in your application is a vast security liability.
There is no way to ensure your application is safe from future vulnerability discoveries in Electron. This is why you need to make sure to tick every point on the following checklist: