Electron is a "web application writing platform" used by software such as Skype and Slack for Windows (among many others). Newsarticles from today are purporting that these applications are now vulnerable to remote code execution due to vulnerabilities in the Electron framework itself.
I am running Skype on my Windows machine. It registers itself as the default handler for a protocol (lets say skype://). It is not running as a service. How am I susceptible to remote code execution if the software is not running as a service? What steps would need to happen for RCE to happen... namely would I have to click on a link? Would an attacker have to initiate a skype conversation with me in order to trigger the exploit?
Further is the attack mechanism the same for every piece of software affected or is it a different attack vector for every piece of software?
EDIT: Looking through the release notes and source code commits, I noticed this change.
It seems to imply the attack vector would be a specially crafted 'launching' uri (taking advantage of the default handler). If that's true though it makes me think the user would either have to click this link or visit a website that redirects to the link. Can somebody confirm?
