This article is more than 1 year old
Have you updated your Electron app? We hope so. There was a bad code-injection bug in it
Infosec bods remind devs, users to check for patches
Electron – the widely used desktop application framework that renders top programs such as Slack, Atom, and Visual Studio Code – suffered from a security vulnerability that potentially allows miscreants to execute evil code on victims' computers.
That means applications relying on Electron may need updating. If you use an Electron-based program – there's a list here – you should follow best practices and make sure you're running the latest release of the software. And app developers should ensure their software is patched, or at least not vulnerable, and available to download.
The programming blunder was highlighted and described in detail this month by TrustWave's Brendan Scarvell. In short: the bug, CVE-2018-1000136, can be exploited to import arbitrary code into the application via Node.js.
An app developer only needed to be a little careless, and accept the default settings, and their application would be vulnerable. The issue was fixed in late March by the Electron team.
Scarvell noted that the framework is used by “Slack, Discord, Signal, Atom, Visual Studio Code, and Github Desktop,” among others, although the Signal team told us that Signal for Desktop was not affected by the above flaw. Similarly, other apps may not be vulnerable.
Scarvell set out the conditions for an app to be at risk: it's built on Electron version < 1.7.13, < 1.8.4, or < 2.0.0-beta.3, and the developer hasn't manually opted one of the following:
webviewTag: falsein its webPreferences;
- ”Enabled the
nativeWindowOptionoption in its webPreferences; or
- ”Intercepting new-window events and overriding
event.newGuestwithout using the supplied options tag.”
So, what's going on here? Setting
nodeIntegration: false in an app's webPreferences is supposed to prevent the software using Electron's APIs from gaining access to Node.js – and that's switched off by default.
nodeIntegration: false setting also saves the developer the effort of sanitising user inputs which, if they were handled by Node.js, would enable cross-site-scripting attacks.
The one bug to bring them all down - CVE-2018-1000136 (including, but not limited to: Signal Desktop, Slack, Discord, Atom, Visual Studio Code, Github Desktop) https://t.co/dPDkecJzFm #electron #vulnerability— x0rz (@x0rz) May 12, 2018
As Scarvell explained, the vulnerability he found allowed an attacker to change the
nodeIntegration setting to “true”.
The issue is in the handling of another tag,
WebView, which allows a developer to “embed content, such as web pages, into your Electron application and run it as a separate process,” in combination with how Electron handles new browser windows.
An attacker, he wrote, could control the new browser window (the
window.open command) to pass a
WebView tag that enabled
nodeIntegration (that is, set it to “true”).