As reported by cyberscoop, a critical vulnerability that allows remote code execution was found to affect some Electron-based apps that run on Windows, but not on Mac or Linux. In order to be vulnerable, an app must also register itself as the default handler for a protocol, such as app://.
Apps use such protocols to streamline the linking between them, so that a user can, for example, click on a link in a web browser or supported app and be redirected to a specific instance of the protocol's handler app. This kind of feature is used by several apps, but not all of those built on Electron. Skype, for example, sets itself as the handler of skype://, while Slack does the same with the protocol slack://. Both Slack and the new Skype are built on Electron and, therefore, are vulnerable.
Several other Windows desktop apps are built on Electron, including the encrypted messaging app Signal, the audio chat app Discord and the content management system WordPress.
Fortunately, Electron has already updated the framework with a patch for the vulnerability and urges developers to do the same with their apps. Both Microsoft and Slack have also confirmed that their apps are already patched and urged all users to update their Skype or Slack for desktop apps immediately. Slack for desktop is secure starting from its 3.0.3+ version, while a Microsoft spokesperson told cyberscoop that the patch was applied for "the newest version of Skype."
For those developers who cannot update their apps right away, appending "--" as the last argument when calling app.setAsDefaultProtocolClient could prevent the bug from being triggered, according to ZDNet.
But since Electron does not detail which apps make use of protocol handlers on Windows, it is not possible to know exactly which apps were affected. Therefore, as a matter of precaution, end users should always keep their applications up-to-date in order to benefit from the latest security patches.