Severe Electron framework vulnerability impacts apps like Skype and Slack
Electron, a popular web application writing platform underlying some extremely widespread software including Skype and Slack, is vulnerable to a critical remote code execution vulnerability.
Apps are only vulnerable if they run on Microsoft Windows and register themselves as the default handler for a protocol like myapp://. MacOS and Linux apps are not vulnerable. Referred to as a “Protocol Handler Vulnerability,” the problem has been assigned the number CVE-2018-1000006.
Protocols like slack:// make it so that users can click links from other software like a web browser and directly go to, for instance, the Slack app.
Several widely used apps are built on Electron, including Windows desktop apps for the encrypted messaging app Signal, the audio chat app Discord and the content management system WordPress. However, most of these apps don’t register themselves as the default handler for a protocol like myapp:// so they are not vulnerable. You can find a full list of Electron apps here to better understand the popularity of Electron, but it’s not a definitive list of apps impacted by this vulnerability.
The recently released Slack versions 3.0.3+ for Windows addresses the vulnerability, according to a Slack spokesperson who urged all users to upgrade immediately.
A Microsoft spokesperson confirmed the newest version of Skype mitigated the vulnerability.
Electron’s appeal is that developers can easily write an app using web technology like HTML, CSS and JavaScript instead of rewriting it multiple times in different languages for multiple platforms.
Electron published new versions of their software to fix the vulnerability on Tuesday. All developers are urged to upgrade immediately.
Update: Added a comment from Microsoft.