Updates - compromise [2]
- Netsarang Support
Owned by Netsarang Support
Mar 08, 2021
2 min read
Loading data...
Updates - compromise
Friday, August 18, 2017 11:41 PM - D Rigby
In the security notification I received from CERT re the recent compromise, it stated:
"IP addresses belonging to your organisation have been observed downloading at least one of the trojanised versions of NetSarang software"
I have checked and don't have the compromised version running, nor did I manually download it. I did note a recent version in my 'appdata\local\temp\patches' folder though.
I make the assumption that the update check pre-fetches the newer version and that is why it would have been noted as having been downloaded.
Would that assumption be correct?
Thanks.
Program Ver. : Xshell 5
"IP addresses belonging to your organisation have been observed downloading at least one of the trojanised versions of NetSarang software"
I have checked and don't have the compromised version running, nor did I manually download it. I did note a recent version in my 'appdata\local\temp\patches' folder though.
I make the assumption that the update check pre-fetches the newer version and that is why it would have been noted as having been downloaded.
Would that assumption be correct?
Thanks.
Program Ver. : Xshell 5
Re: Updates - compromise
Saturday, August 19, 2017 12:02 AM - Support
Hello,
Our number 1 priority at the moment is to get users off the backdoored Build and onto the secured Build. Therefore, we intentionally cast our net wider than necessary in order to ensure that we notified any potential user of the affected package. Many of our users source our software from other locations and therefore we may not have had their email address which forced us to use different means of contact.
This may have led to users who were never at risk being informed that they were. You may have been one of those users.
I'll have our team investigate to see why you received that notification, but in the meantime, if you never used the affected Build number, then you were not affected.
Technical Support
Like us on Facebook
Follow us on Twitter
Visit our blog Blog
Our number 1 priority at the moment is to get users off the backdoored Build and onto the secured Build. Therefore, we intentionally cast our net wider than necessary in order to ensure that we notified any potential user of the affected package. Many of our users source our software from other locations and therefore we may not have had their email address which forced us to use different means of contact.
This may have led to users who were never at risk being informed that they were. You may have been one of those users.
I'll have our team investigate to see why you received that notification, but in the meantime, if you never used the affected Build number, then you were not affected.
Technical Support
Like us on Facebook
Follow us on Twitter
Visit our blog Blog
Re: Updates - compromise
Wednesday, August 23, 2017 5:01 PM - Support
I've confirmed with our dev team that the client does not pre-fetch the update package. It is only downloaded if you agree to the update.
What you are seeing in the folder is the remains of a previous update which was initiated by the user, not a pre-fetched version which was never initiated.
Technical Support
Like us on Facebook
Follow us on Twitter
Visit our blog Blog
What you are seeing in the folder is the remains of a previous update which was initiated by the user, not a pre-fetched version which was never initiated.
Technical Support
Like us on Facebook
Follow us on Twitter
Visit our blog Blog
Previous views: 697