News

VS Code Susceptible to Electron-Based Vulnerability

Visual Studio Code, being based on the open source Electron framework, is among applications susceptible to a remote code execution vulnerability just patched by the Electron team this week.

New editions of Electron, developed by GitHub, were shipped to provide a fix. (Update: As noted in the comments section, VS Code users who update to version 1.19 are protected from this vulnerability. The release notes for that version state: "This update also includes a fix for an Electron security vulnerability.")

"A remote code execution vulnerability has been discovered affecting Electron apps that use custom protocol handlers," the team said in a blog post this week. "This vulnerability has been assigned the CVE identifier CVE-2018-1000006.

That Common Vulnerability and Exposures entry says:

GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.

The vulnerability affects only Windows-based apps -- not macOS or Linux -- and VS Code is among Electron-based apps listed on the Electron site. Other popular programs said to be at risk include Skype, Slack, WordPress and GitHub's Atom code editor.

"We've published new versions of Electron which include fixes for this vulnerability: 1.8.2-beta.4, 1.7.11, and 1.6.16. "We urge all Electron developers to update their apps to the latest stable version immediately.

"If for some reason you are unable to upgrade your Electron version, you can append -- as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options. The double dash -- signifies the end of command options, after which only positional parameters are accepted."

The Electron post said the vulnerability affects Windows-based Electron apps that register themselves as the default handler for a protocol, such as: "myapp://".

Apps reportedly can be affected no matter how the protocol is registered, via native code, the Windows registry or the aforementioned app.setAsDefaultProtocolClient API.

The Windows Defender Security Intelligence team on Tuesday tweeted that the "recent protocol handler bug disclosed by Electror" was spotted by the Windows Defender Advanced Threat Protection tool.

About the Author

David Ramel is an editor and writer for Converge360.

comments powered by Disqus

Featured

  • Visual Studio 2019 v16.7 Ships with Better Git Integration

    Better GitHub integration and other improvements highlight the new Visual Studio 2019 Version 16.7 and first preview of v16.8.

  • Visual Studio Codespaces Private Preview Woos C++ Developers

    Microsoft announced a private preview of Visual Studio Codespaces, which eases the setup and use of cloud-powered development environments that can be used from anywhere for remote development and other scenarios, targeting C++ console app and library developers.

  • Data Prep for Machine Learning: Normalization

    Dr. James McCaffrey of Microsoft Research uses a full code sample and screenshots to show how to programmatically normalize numeric data for use in a machine learning system such as a deep neural network classifier or clustering algorithm.

  • Microsoft Intros Azure Well-Architected Framework Best Practices

    Taking a page from the Amazon Web Services (AWS) book on cloud computing platforms, Microsoft has introduced its own Azure Well-Architected Framework, providing a set of architecture best practices to help users build and deliver great solutions and improve the quality of cloud workloads.

  • Creating a Progressive Web App with Blazor WebAssembly

    Not surprisingly, it's dead easy to create an app in Blazor that runs outside of the browser window and (potentially) in an offline mode. Before you get carried away, though, there are some key design decisions to make.

.NET Insight

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.

Upcoming Events