Critical Flaw Hits Popular Windows Apps Built With Electron JS Framework

A critical remote code execution vulnerability has been reported in Electron—a popular web application framework that powers thousands of widely-used desktop applications including Skype, Signal, Wordpress and Slack—that allows for remote code execution.

Electron is an open-source framework that is based on Node. js and Chromium Engine and allows app developers to build cross-platform native desktop applications for Windows, macOS and Linux, without knowledge of programming languages used for each platform.

The vulnerability, assigned as the number CVE-2018-1000006, affects only those apps that run on Microsoft Windows and register themselves as the default handler for a protocol like myapp://.

"Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API," Electron says in an advisorypublished Monday.

The Electron team has also confirmed that applications designed for Apple's macOS and Linux are not vulnerable to this issue, and neither those (including for Windows) that do not register themselves as the default handler for a protocol like myapp://.

The Electron developers have already released two new versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, and 1.6.16 to address this critical vulnerability.

"If for some reason you are unable to upgrade your Electron version, you can append—as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options," the company says.

End users can do nothing about this vulnerability; instead, developers using Electron JS framework have to upgrade their applications immediately to protect their user base.

Much details of the remote code execution vulnerability have not been disclosed yet, neither the advisory named any of the vulnerable apps (that make themselves the default protocol handler) for security reason.

We will update you as soon as any details about the flaw come out.

Facebook Moves To Decide What Is Real News

Comments

Microsoft To Update Windows ‘Notepad App’ After Years, Teases New Features

E very week or the other, Microsoft releases a new build for the fast ring insiders. The latest Windows 10 Insider Preview Build 17713 bring a pack of surprises for Windows users. Redmond always listens to users, and this time, they have heard to Notepad users who were fed up with the uninteresting interface. Microsoft is giving its text editor Notepad new features after a very long time. Yes, the very same app that people use to write random text, create batch files and HTML pages, etc. Among the new Notepad features being added to Windows, you would be able to zoom into text by using the mouse wheel while holding down the Ctrl key. A long requested feature is coming for users; Microsoft is adding ctrl+backspace support to delete a previous word. Other than these, you will now have the ability to wrap around find and replace. Also, the status bar is now enabled by default in Notepad. There are few performance improvements for large...

Google starts rolling out ‘Call Screen’ feature for Pixel smartphones

San Francisco, Dec 2 (IANS) Google has started rolling out a feature for its Pixel smartphones that lets users make use of the Google Assistant to see who is calling and why before they answer a call. The feature allows users to see a real-time transcript of how the caller responds so that they can then decide whether to pick up, respond by tapping a quick reply (for example, “I’ll call you back later”), or mark the call as spam and dismiss. “Call Screen is only available to English speakers in the United States who have Pixel 2, 2 XL, 3, or 3XL devices. If you don’t see Call Screen in the Phone app’s settings, it’s not available yet,” Google said. Call Screen, which can help users save the time spent on picking up unimportant calls from unknown numbers, does not use Wi-Fi or mobile data of the user. This feature does not work with third-party call recording and screen recording apps as these apps may interfere with how the feature works. It is better to turn off these app...

Facebook Fined £500,000 for Cambridge Analytica Data Scandal

Facebook has finally been slapped with its first fine of £500,000 for allowing political consultancy firm Cambridge Analytica to improperly gather and misuse data of 87 million users. The fine has been imposed by the UK's Information Commissioner's Office ( ICO ) and was calculated using the UK's old Data Protection Act 1998 which can levy a maximum penalty of £500,000 — ironically that’s equals to the amount Facebook earns every 18 minutes. The news does not come as a surprise as the U.K.'s data privacy watchdog already notified the social network giant in July this year that the commission was intended to issue the maximum fine. For those unaware, Facebook has been under scrutiny since earlier this year when it was revealed that the personal data of 87 million users was improperly gathered and misused by political consultancy firm Cambridge Analytica, who reportedly helped Donald Trump win the US presidency in 2016. The ICO, who launched an investigatio...

Tech Knock

Search This Blog