Electron framework logo

A flaw in a very popular software-building framework may affect a large number of popular desktop apps from Microsoft (Skype, Visual Studio Code), Brave (browser), GitHub (Atom Editor), Signal, Slack, Basecamp, WordPress.com, Twitch, Ghost, and others.

The flaw affects Electron, a software framework created by the GitHub team to aid in the development of the Atom source code editor.

Since its creation in 2013, the framework became insanely popular because it allowed app developers to create cross-OS applications using basic web technologies such as JavaScript (Node.js), HTML, and CSS.

Because of this, Electron has been used by a huge number of products, even for heavy-duty apps such as encrypted instant messaging powerhouse Signal, Microsoft's revamped Skype client, and all sorts of desktop companion apps for services such as Twitch, Slack, Basecamp, and WordPress.com.

Some Electron-based apps vulnerable to severe RCE bug

On Monday, the Electron team said it patched a remote code execution vulnerability in the Electron framework. The vulnerability affects only Windows apps, not apps for Mac or Linux.

Electron devs said Electron apps that register themselves as the default app for handling custom protocol formats such as myapp:// are vulnerable and will allow an attacker to execute malicious code on affected systems remotely.

The flaw, which resides in the Electron framework's app.setAsDefaultProtocolClient API was patched on Monday when the Electron team released versions 1.8.2-beta.4, 1.7.11, and 1.6.16 of the software-building framework.

Developers also included a quick workaround for app developers who cannot update their apps to the new Electron framework code just yet.

The workaround is a temporary fix to prevent attackers from exploiting the flaw, but experts expect attackers to find a way around it pretty soon.

Microsoft has also added support for detecting attempts to exploit the flaw on systems protected with Windows Defender.

App developers are the first ones who need to act by incorporating the Electron fixes in their apps. Second, app users will need the apply the most recent patches for any of the apps listed on this page. Not all of these applications register themselves as default protocol handlers (hence they are not vulnerable) but it's better to err on the side of caution and update your apps anyway.