A critical vulnerability in a common open-source framework used in applications has flown under the radar, but it may present a serious risk, according to security researchers.

The critical vulnerability lies in Electron, an open source node.js, V8 and Chromium framework. It gives hackers access to any software using the framework via a remote code execution flaw, a vulnerability that allows an attack to execute a command on a targeted machine or in a targeted process.

Electron is certainly not a household name outside the programming community, but the software and sites that use it certainly are: Microsoft Corp.’s Skype and Visual Studio, the Brave browser, GitHub’s Atom Editor, the Signal messaging app, Slack, Basecamp, WordPress.com, Twitch and many others.

The team behind Electron’s development has deployed a patch for the vulnerability but it still needs to be implemented by those who have used the framework previously, a process that may take time and will also require app users to update their software as well.

Jeff Williams, co-founder and chief technology officer at Contrast Security Inc., told SiliconANGLE that though this vulnerability is new, there have been numerous so-called protocol handler attacks over the years.

“Browsers normally use links to access resources on the Internet. Like http://facebook.com. That tells the browser to send an HTTP request on port 80 to Facebook.com, receive an HTTP response, and render the HTML inside in the browser. Simple,” Williams said. “But wouldn’t it be nice if you could click on links to open other applications? Maybe you could use a “skype://” link to make a Skype call? It would be convenient to have links to accept a meeting invite in your calendar or join a GoToMeeting. It would also be very dangerous.”

Williams said that if these custom links, called custom protocol handlers, are enabled, then an attacker can try to trick people into clicking on one. “That gives them a path to attacking your desktop applications,” he said. “The attacker might try to trick that application into doing something it shouldn’t, like deleting files or stealing information. The worst possible thing would be if the attacker could trick that application into running arbitrary code.”

The unfortunate part is that any Windows application built using Electron that registers one of these custom protocol handlers allows that kind of attack, resulting in a complete takeover of the computer. Williams suggested that any affected applications be updated quickly.

Image: Electron