Here is what Developers and Users need to know about Electron’s latest security issue. A glowing electron in front of a gloomy sky with random binary numbers is never a good sign … Original photograph by ( ) code404 CC0 On Monday, the team published security advisory describing an arbitrary code execution vulnerability in Electron. Arbitary code executions — or (RCE) when performed through a network — are the most severe class of vulnerabilities. They allow an attacker to run any code on the victim’s machine. Electron CVE-2018–1000006 remote code executions software Am I affected as a User? The current report affects Electron applications on Windows that use custom protocols. Custom protocols allow applications to handle links from web pages or other applications. Links on Apple’s App Store web page, for example, use URLs beginning with so that they can be opened directly by iTunes. itmss:// If an Electron application uses custom protocols on Windows and has not been updated since Monday, it is vulnerable. You can verify which applications use custom protocols in the . . Windows Settings Disable protocols for applications that have not yet been updated with a security patch or uninstall them Am I affected as a Developer? If you have published an application with any version of Electron before , , or and you are using the API on Windows, your application is vulnerable. 1.8.2-beta.4 1.7.11 1.6.16 app.setAsDefaultProtocolClient You need to take immediate action. What if I am affected? Follow the put out by the Electron team mitigation advice Inform your users about the vulnerability and the severity of it. Release an updated version of your application built with an updated version of Electron. How can I secure my application in the future? Electron is a convenient way to create desktop applications with familiar web frameworks. Unfortunately, this ease-of-use comes at the cost of many millions of lines of code from the Chromium and Electron project — each one of them a potential security hazard. Remember: and using a vast software project like Electron in your application is a vast security liability. Source code is a liability, not an asset . This is why you need to make sure to tick every point on the following checklist: There is no way to ensure your application is safe from future vulnerability discoveries in Electron Make sure you . Before you start worrying about vulnerabilities in Electron, make sure you are not adding own security pitfalls. follow the Electron team’s guide to creating secure Electron applications . Make sure to keep an eye out for for any releases with mentions of Subscribe to the Electron Release feed [SECURITY] . Only with a functioning auto-update pipeline can you react quickly to known vulnerabilities. You can follow . Alternatively, you can use a specialized service such as for managing your updates. Enable auto-updates Electron’s auto-update guide DBLSQD for Electron
