![](\"https:\/\/3.bp.blogspot.com\/-lAHE9MSWXjY\/Wmh6GKyK03I\/AAAAAAAAvjw\/yZkRCMTLbIcWNiNKzpuO_E5-6lhbJphfACLcBGAs\/s1600\/electron-js-framework-hacking.png\" "\\"Critical")
<\/p>\n<\/p>\n
\nA critical remote code execution vulnerability has been reported in <\/p>\n
Electron<\/a><\/b><\/p>\n \u2014a popular web application framework that powers thousands of widely-used desktop applications including Skype, Signal, WordPress and Slack\u2014that allows for remote code execution.\n<\/p>\n \nElectron is an open-source framework that is based on Node.js and Chromium Engine and allows app developers to build cross-platform native desktop applications for Windows, macOS and Linux, without knowledge of programming languages used for each platform.\n<\/p>\n \nThe vulnerability, assigned as the number CVE-2018-1000006, affects only those apps that run on Microsoft Windows and register themselves as the default handler for a protocol like myapp:\/\/.\n<\/p>\n \n"Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API," Electron says in an advisory<\/a> published Monday.<\/p><\/blockquote>\n \nThe Electron team has also confirmed that applications designed for Apple’s macOS and Linux are not vulnerable to this issue, and neither those (including for Windows) that do not register themselves as the default handler for a protocol like myapp:\/\/.\n<\/p>\n \nThe Electron developers have already released two new versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, and 1.6.16 to address this critical vulnerability.\n<\/p>\n \n"If for some reason you are unable to upgrade your Electron version, you can append\u2014as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options," the company says.<\/p><\/blockquote>\n \nEnd users can do nothing about this vulnerability; instead, developers using Electron JS framework have to upgrade their applications immediately to protect their user base.\n<\/p>\n \nMuch details of the remote code execution vulnerability have not been disclosed yet, neither the advisory named any of the vulnerable apps (that make themselves the default protocol handler) for security reason.\n<\/p>\n \nWe will update you as soon as any details about the flaw come out.<\/p>\n<\/div>\n<\/div>\n