Software Framework Flaw (RCE vulnerability) Affects Apps From Skype, Signal, Slack, Twitch, Others

ZMsiXone · Jan 24, 2018

source (bleepingcomputer.com): https://www.bleepingcomputer.com/ne...s-apps-from-skype-signal-slack-twitch-others/

A flaw in a very popular software-building framework may affect a large number of popular desktop apps from Microsoft (Skype, Visual Studio Code), Brave (browser), GitHub (Atom Editor), Signal, Slack, Basecamp, WordPress.com, Twitch, Ghost, and others.

The flaw affects Electron, a software framework created by the GitHub team to aid in the development of the Atom source code editor.
Since its creation in 2013, the framework became insanely popular because it allowed app developers to create cross-OS applications using basic web technologies such as JavaScript (Node.js), HTML, and CSS.

Because of this, Electron has been used by a huge number of products, even for heavy-duty apps such as encrypted instant messaging powerhouse Signal, Microsoft's revamped Skype client, and all sorts of desktop companion apps for services such as Twitch, Slack, Basecamp, and WordPress.com.

Some Electron-based apps vulnerable to severe RCE bug
On Monday, the Electron team said it patched a remote code execution vulnerability in the Electron framework. The vulnerability affects only Windows apps, not apps for Mac or Linux.
Electron devs said Electron apps that register themselves as the default app for handling custom protocol formats such as myapp:// are vulnerable and will allow an attacker to execute malicious code on affected systems remotely.

The flaw, which resides in the Electron framework's app.setAsDefaultProtocolClient API was patched on Monday when the Electron team released versions 1.8.2-beta.4, 1.7.11, and 1.6.16 of the software-building framework. Developers also included a quick workaround for app developers who cannot update their apps to the new Electron framework code just yet.
The workaround is a temporary fix to prevent attackers from exploiting the flaw, but experts expect attackers to find a way around it pretty soon.
Click to expand...

RockLobster · Feb 15, 2018

That is not Skypes problem that is a Windows vulnerabilty that has been known for years, applications look for dll's first in the local folder before the system folder and it wouldnt take any massive code rewrite to digitally sign the dll and have skype verify that signature before loading the dll.

Log in or Sign up

Software Framework Flaw (RCE vulnerability) Affects Apps From Skype, Signal, Slack, Twitch, Others

ZMsiXone Registered Member

RockLobster Registered Member

Log in or Sign up

Software Framework Flaw (RCE vulnerability) Affects Apps From Skype, Signal, Slack, Twitch, Others

ZMsiXone Registered Member

RockLobster Registered Member

Useful Searches