TTCSIRT-083.013018: TT-CSIRT Advisory – JavaScript Security Updates
A security update has been released for the popular Electron JavaScript library which is used in the development of desktop applications that utilize web components such as Skype and Slack.
A vulnerability has been identified in the library where if the victim navigates to a specially crafted link that calls the app.setAsDefaultProtocolClient method in the Electron API, remote code execution could take place which would allow the attacker to install programs; view, change, or delete data; or create new accounts with full user rights.
Further information on how this vulnerability and how it can be mitigated can be found at https://www.cisecurity.org/advisory/a-vulnerability-in-electron-could-allow-for-remote-code-execution_2018-012/ |