INFRA
INFRA
INFRA
Here’s what you need to know about the critical Electron vulnerability
A critical vulnerability in a common open-source framework used in applications has flown under the radar, but it may present a serious risk, according to security researchers.
The critical vulnerability lies in Electron, an open source node.js, V8 and Chromium framework. It gives hackers access to any software using the framework via a remote code execution flaw, a vulnerability that allows an attack to execute a command on a targeted machine or in a targeted process.
Electron is certainly not a household name outside the programming community, but the software and sites that use it certainly are: Microsoft Corp.’s Skype and Visual Studio, the Brave browser, GitHub’s Atom Editor, the Signal messaging app, Slack, Basecamp, WordPress.com, Twitch and many others.
The team behind Electron’s development has deployed a patch for the vulnerability but it still needs to be implemented by those who have used the framework previously, a process that may take time and will also require app users to update their software as well.
Jeff Williams, co-founder and chief technology officer at Contrast Security Inc., told SiliconANGLE that though this vulnerability is new, there have been numerous so-called protocol handler attacks over the years.
“Browsers normally use links to access resources on the Internet. Like http://facebook.com. That tells the browser to send an HTTP request on port 80 to Facebook.com, receive an HTTP response, and render the HTML inside in the browser. Simple,” Williams said. “But wouldn’t it be nice if you could click on links to open other applications? Maybe you could use a “skype://” link to make a Skype call? It would be convenient to have links to accept a meeting invite in your calendar or join a GoToMeeting. It would also be very dangerous.”
Williams said that if these custom links, called custom protocol handlers, are enabled, then an attacker can try to trick people into clicking on one. “That gives them a path to attacking your desktop applications,” he said. “The attacker might try to trick that application into doing something it shouldn’t, like deleting files or stealing information. The worst possible thing would be if the attacker could trick that application into running arbitrary code.”
The unfortunate part is that any Windows application built using Electron that registers one of these custom protocol handlers allows that kind of attack, resulting in a complete takeover of the computer. Williams suggested that any affected applications be updated quickly.
Image: Electron
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
