CVE-2018-1000006: Electron remote code execution vulnerability

On January 22, 2018,  a known security vulnerability (CVE-2018-1000006) affecting Windows users of Electron-based programs (like discord) was made public. These bugs allow attacker take remote code execution on vulnerable programs.

Electron is an open source library developed by GitHub for building cross-platform desktop applications with HTML, CSS, and JavaScript. Electron accomplishes this by combining Chromium and Node.js into a single runtime and apps can be packaged for Mac, Windows, and Linux.

Affected platform

Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API.

macOS and Linux are not vulnerable to this issue.

Solution

Electron has released two patched versions: 1.8.2-beta.4, 1.7.11, and 1.6.16, and: “If for some reason you are unable to upgrade your Electron version, you can append — as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options.” ®