Xshell Forum

Updates - compromise

Last post: Wednesday, August 23, 2017 5:01 PM by Support, 2 reply

 
Friday, August 18, 2017 11:41 PM - D Rigby

Updates - compromise

 
In the security notification I received from CERT re the recent compromise, it stated:

"IP addresses belonging to your organisation have been observed downloading at least one of the trojanised versions of NetSarang software"

I have checked and don't have the compromised version running, nor did I manually download it. I did note a recent version in my 'appdata\local\temp\patches' folder though.

I make the assumption that the update check pre-fetches the newer version and that is why it would have been noted as having been downloaded.

Would that assumption be correct?

Thanks.

Program Ver. : Xshell 5
Saturday, August 19, 2017 12:02 AM - Support

Re: Updates - compromise

 
Hello,

Our number 1 priority at the moment is to get users off the backdoored Build and onto the secured Build. Therefore, we intentionally cast our net wider than necessary in order to ensure that we notified any potential user of the affected package. Many of our users source our software from other locations and therefore we may not have had their email address which forced us to use different means of contact.

This may have led to users who were never at risk being informed that they were. You may have been one of those users.

I'll have our team investigate to see why you received that notification, but in the meantime, if you never used the affected Build number, then you were not affected.

Technical Support

Like us on Facebook
Follow us on Twitter
Visit our blog Blog
Wednesday, August 23, 2017 5:01 PM - Support

Re: Updates - compromise

 
I've confirmed with our dev team that the client does not pre-fetch the update package. It is only downloaded if you agree to the update.

What you are seeing in the folder is the remains of a previous update which was initiated by the user, not a pre-fetched version which was never initiated.

Technical Support

Like us on Facebook
Follow us on Twitter
Visit our blog Blog