electron-updater allows for automatic updates for Electron apps. The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by cmd.exe expands any environment variable found in command-line above. This creates a situation where verifySignature() can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). The patch is available starting from 6.3.0-alpha.6.
The product does not validate, or incorrectly validates, a certificate.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Electron-builder | Electron | * | 6.3.0 (excluding) |
| Electron-builder | Electron | 6.3.0-alpha0 (including) | 6.3.0-alpha0 (including) |
| Electron-builder | Electron | 6.3.0-alpha1 (including) | 6.3.0-alpha1 (including) |
| Electron-builder | Electron | 6.3.0-alpha2 (including) | 6.3.0-alpha2 (including) |
| Electron-builder | Electron | 6.3.0-alpha3 (including) | 6.3.0-alpha3 (including) |
| Electron-builder | Electron | 6.3.0-alpha4 (including) | 6.3.0-alpha4 (including) |
| Electron-builder | Electron | 6.3.0-alpha5 (including) | 6.3.0-alpha5 (including) |