"Martin Lopez" (via whispersystems Mailing List)
2018-01-25 21:43:21 UTC
One of my friends who uses Signal notified me to avoid clicking on links
in Electron apps, due to a security issue with handling custom protocols
in Windows, known as CVE-2018-1000006.
https://www.cyberscoop.com/electron-vulnerability-skype-slack/
https://hackernoon.com/remote-code-execution-vulnerability-in-electron-apps-b21fbdc162c
The two links above are articles talking about the vulnerability. One of
them mentions Signal by name.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000006
This link is the bug documentation.
I did see on GitHub that someone posted an issue about this, which was
closed shortly after a dev explained that the Signal development build
was already updated to Electron 1.7.11, which is vulnerability-free.
https://github.com/signalapp/Signal-Desktop/issues/1998
Now, as far as I can tell, the current production build does run an
affected Electron build. However, the HackerMoon link above says that
only Electron apps that are set to be the default handler for a protocol
are vulnerable, and according to my Windows settings, Signal is not. Is
that article correct, and if so, am I correct in taking from it that
Signal Desktop users on Windows do not have to worry about this
vulnerability?
in Electron apps, due to a security issue with handling custom protocols
in Windows, known as CVE-2018-1000006.
https://www.cyberscoop.com/electron-vulnerability-skype-slack/
https://hackernoon.com/remote-code-execution-vulnerability-in-electron-apps-b21fbdc162c
The two links above are articles talking about the vulnerability. One of
them mentions Signal by name.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000006
This link is the bug documentation.
I did see on GitHub that someone posted an issue about this, which was
closed shortly after a dev explained that the Signal development build
was already updated to Electron 1.7.11, which is vulnerability-free.
https://github.com/signalapp/Signal-Desktop/issues/1998
Now, as far as I can tell, the current production build does run an
affected Electron build. However, the HackerMoon link above says that
only Electron apps that are set to be the default handler for a protocol
are vulnerable, and according to my Windows settings, Signal is not. Is
that article correct, and if so, am I correct in taking from it that
Signal Desktop users on Windows do not have to worry about this
vulnerability?
--
Best regards,
Martin Lopez
Best regards,
Martin Lopez