A Vulnerability in Electron Could Allow for Remote Code Execution

ITS Advisory Number: 
2018-012
Date(s) Issued: 
Monday, January 29, 2018
Subject: 
A Vulnerability in Electron Could Allow for Remote Code Execution
Overview: 

A vulnerability has been identified in the Electron JavaScript library, which could allow for remote code execution. Electron, an open-source library, is used to develop desktop applications that utilize web components. Popular applications which utilize Electron include Skype and Slack. Successful exploitation of this vulnerability in Electron could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Systems Affected: 
  • Microsoft Windows-based applications that use Electron versions prior to 1.8.2-beta. 4, 1.7.11, and 1.6.16.
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

A vulnerability has been identified in applications using the Electron library, which could allow for remote code execution. This vulnerability occurs when a victim navigates to a specially crafted link that calls the app.setAsDefaultProtocolClient method in the Electron API. This method is used in parsing calls to custom protocol handlers such as myapp://. The method sends the arguments to the application assigned as the default handler for a given protocol.

Successful exploitation of this vulnerability in Electron could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Actions: 
  • Verify no unauthorized system modifications have occurred on the system before upgrading.
  • Appending –, which signifies the end of command options, as the last argument can mitigate malicious calls to the app.setAsDefaultProtocolClient method.
  • After appropriate testing, immediately upgrade relevant applications to use the latest version of the Electron library.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.