Electron framework flaw puts popular desktop apps at risk
The Electron framework -- used to develop desktop apps using web code -- included a remote code execution flaw that was passed on to popular apps like Slack.
A new vulnerability found in an app development tool has caused popular desktop apps made with the tool to inherit a risky flaw.
The Electron framework uses node.js and Chromium to build desktop apps for popular web services -- including Slack, Skype, WordPress.com, Twitch, GitHub and many more -- while using web code like JavaScript, HTML and CSS. Electron announced that a remote code execution vulnerability in the Electron framework (CVE-2018-1000006) was inherited by an unknown number of apps.
Zeke Sikelianos, a designer and developer who works at Electron, wrote in a blog post that only apps built for "Windows that register themselves as the default handler for a protocol ... are vulnerable," while apps for macOS and Linux are not at risk.
Amit Serper, principal security researcher at Cybereason, said a flaw like the one found in the Electron framework "is pretty dangerous since it allows arbitrary command execution by a simple social engineering trick."
A flaw like this ... is pretty dangerous since it allows arbitrary command execution by a simple social engineering trick.
Amit Serperprincipal security researcher, Cybereason
"Electron apps have the ability to register a protocol handler to make it easier to automate processes for the Electron apps themselves (for example, if you'll click a link that starts with slack:// then Slack will launch. It makes it easier to automate the process of joining a Slack group)," Serper told SearchSecurity by email. "The vulnerability is in the way that the protocol handler is being processed by the Electron app, which allows an attacker to create a malicious link to an Electron app which will execute whatever command that the attacker wanted to run."
Sikelianos urged developers to update apps to the most recent version of Electron as soon as possible.
A spokesperson for Slack told SearchSecurity that the company collaborates closely with the Electron community and "started working to mitigate the vulnerability right after its discovery. Slack versions 3.0.3+ for Windows mitigates the vulnerability. There is no indication that Slack users were impacted, but we encourage everyone to upgrade immediately."
There are more than 460 apps that have been built using the flawed Electron framework, but it is unclear how many of those apps are at risk and experts noted that code reviews could take a while.
Security audits
Lane Thames, senior security researcher at Tripwire, said mechanisms for code reuse like software libraries, open source code and the Electron framework "are some of the best things going for modern software development. However, they are also some of its worst enemies in terms of security."
"Anytime a code base is in use across many products, havoc will ensue when (not if) a vulnerability is discovered. This is inevitable. Therefore, developers should ensure that mechanisms are in place for updating downstream applications that are impacted by the vulnerabilities in the upstream components," Thames told SearchSecurity. "This is not an easy task and requires lots of coordination between various stakeholders. In a perfect world, code that gets used by many other projects should undergo security assessments with every release. Implementing a secure coding practice where every commit is evaluated at least with a security-focused code review would be even better."
Serper said developers need to "always audit their code and be mindful to security."
"However, in today's software engineering ecosystem, where there is a lot of use of third-party libraries, it is very hard to audit the code that you are using since many developers today use modules and code that was written by other people, completely unrelated to their own project," Serper said. "These are vast amounts of code and auditing third-party code in addition to auditing your own code could take a lot of time."
Justin Jett, director of audit and compliance at Plixer, a network analysis company based in Kennebunk, Maine, said the Electron framework flaw was significant, given that "affected applications like Skype, Slack and WordPress are used by organizations to host and share their most critical information.
"If these applications were to be compromised, the impact could be devastating. Developers that use third-party frameworks, like Electron, should audit their code on a regular basis, ideally quarterly, to ensure they are using an up-to-date version of the framework that works with their application and has resolved any security issues from previous releases," Jett told SearchSecurity. "Additionally, platform developers, like Electron, should complete routine audits on their software to ensure that the developers taking advantage of their platform don't expose users to security vulnerabilities -- vulnerabilities which, left unresolved, could cause profound damage to businesses that rely on these applications."
