Software Framework Flaw Affects Apps From Skype, Signal, Slack, Twitch, Others
A flaw in a very popular software-building framework may affect a large number of popular desktop apps from Microsoft (Skype, Visual Studio Code), Brave (browser), GitHub (Atom Editor), Signal, Slack, Basecamp, WordPress.com, Twitch, Ghost, and others.
The Electron team said it patched a remote code execution vulnerability in the Electron framework. The vulnerability affects only Windows apps, not apps for Mac or Linux. Electron apps that register themselves as the default app for handling custom protocol formats such as myapp:// are vulnerable and will allow an attacker to execute malicious code on affected systems remotely.
The flaw was patched on Monday when the Electron team released versions 1.8.2-beta.4, 1.7.11, and 1.6.16 of the software-building framework. Developers also included a quick workaround for app developers who cannot update their apps to the new Electron framework code just yet. The workaround is a temporary fix to prevent attackers from exploiting the flaw, but experts expect attackers to find a way around it pretty soon.
App developers are the first ones who need to act by incorporating the Electron fixes in their apps. Second, app users will need the apply the most recent patches for any of the apps listed on this page.