Jump to content
CCleaner Community Forums
lmacri

CCleaner v5.63 "Important Security Updates"

Recommended Posts

Does anyone have further details about the "important security updates" in CCleaner v5.63.7450 (released 15-Oct-2019) and whether this update is being pushed out via the CCleaner Emergency Updater to users who do not have automatic updating enabled?  Was there a change to the security certificates, or is there an exploitable vulnerability in versions v5.57 and higher that has an associated CVE number?

From Ben CCCleaner's official product update announcement <here> :

Quote

"In this release we have included some important security updates and minor UI improvements and bug fixes. 

General

  • Users on versions v5.57 through to v5.62 have been automatically updated to the new version to take advantage of its enhanced security and improved performance. Users will not notice any change to any of their product settings and can continue to use it as normal
  • Minor UI changes and bug fixes..."

Share this post


Link to post
Share on other sites

I did ask about the 'Important security updates' but received no reply Imacri.

So we are all waiting to hear what it was :( 

Share this post


Link to post
Share on other sites

I am also interested in the changes in this update.  As a user of old versions (not a fan of later UI changes) I'd like to know what type of risk I am at continuing to us them.  I hope an admin can let us know. 

I am guessing it has to do with the traffic the program sends back and forth (telemetry, etc) as I can't think what else CCleaner does network related but yeah, just guessing!

Thanks.

Share this post


Link to post
Share on other sites

For 5.63 we released with a new signing certificate as a precautionary security measure (https://www.ccleaner.com/news/blog/2019/10/21/ccleaner-version-563-preventative-update-as-part-of-our-zero-tolerance-policy-against-cybercrime

For users on older versions, "we are confident to say that our CCleaner users are protected and unaffected".  That said, as always:

  1. We recommend that people use the latest version of our software - or any other software for that matter.
  2. As has been mentioned in these pages before, only versions of CCleaner from 5.46 and above are recommended for use on Windows 10. 
  3. Users impacted by the bug that causes notifications to appear more often than intended are recommended to update to CCleaner 5.54 or higher.
  4. While the new "Easy Clean" experience (released in CCleaner 5.57) has been extremely popular with most of our users, those who prefer the old-style of cleaning can still find the interface they are more familiar with under "Custom Clean" and set that to be their default cleaning mode to continue to use CCleaner in the same way as they did with previous versions while still enjoying the latest updates to cleaning rules that come with the newer releases.

Share this post


Link to post
Share on other sites

Thanks to both Dave CCleaner and hazelnut for their replies and links to blog entries that include further details about this internal network breach.

Share this post


Link to post
Share on other sites

In my case I have several computers that were automatically updated to 5.63 BUT one machine that I hadn't used for a while had 5.58 so I downloaded 5.63 using the official download from piriform and put it on a CD using another machine. I tried to instal 5.63 offline using the cd on the machine that had not been updated automatically, and the installation/update came to a halt, something to do with CCUpdate.exe is this anything to be concerned about ?

As a precaution I uninstalled ccleaner from that machine and will instal another product soon .

Share this post


Link to post
Share on other sites
1 hour ago, Dave CCleaner said:

The advantages of having a "Big Uncle" who is a security company - we're a harder target than we were back in 2017.

 

Hi Dave CCleaner:

According to the 21-Oct-2019 Avast blog entry Avast Fights Off Cyber-Espionage Attempt, Abiss that hazelnut referenced <above>:
 

Quote

"...When analyzing the external IPs, we found that the actor had been attempting to gain access to the network through our VPN as early as May 14 of this year.

After further analysis, we found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA....

...On September 25, we halted upcoming CCleaner releases and began checking prior CCleaner releases and verified that no malicious alterations had been made. As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate. Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected...."

 

If I understood that article correctly, hackers managed to access Avast's internal network several times over a four-month period using stolen login credentials and somehow managed to attain domain admin priviledges before these incursions were detected.  They might not have managed inject malware into the CCleaner installer as they did in 2017 (see the BleepingComputer article Avast Clarifies Details Surrounding CCleaner Malware Incident for more information about a 2017 supply chain attack where the CCleaner v5.33 installer was infected with a Floxif trojan and released to users) but it sounds to me like "Big Uncle" still has room for improvement when its comes to securing their network access.

Share this post


Link to post
Share on other sites
45 minutes ago, Michael88 said:

 I tried to instal 5.63 offline using the cd on the machine that had not been updated automatically, and the installation/update came to a halt, something to do with CCUpdate.exe is this anything to be concerned about ?

@Michael88: No concerns if you downloaded from CCleaner and not a third party website.  Sounds like it might have been this? 

 

Share this post


Link to post
Share on other sites

No it wasn't as you have shown. The error message mentioned ccupdate.exe and the message gave the option to cancel, skip that file or continue. I have since reverted my hard drive to 31st August and then uninstalled ccleaner (also removed ccupdate.exe) and did another backup. So if it doesn't instal today my system will not have to go back very far. I don't normally have problems with installing programs, so it is a mystery. I did check the hash file etc at the time before installing and they did match

Share this post


Link to post
Share on other sites

Tried another instal today and missed the option to uncheck installing Google Chrome ! So when this started installing as well as ccleaner I went to my system backup. If you have an "arrangement" with Chrome to add an option to istal their browser, it should be shown more clearly.

However the outcome is  I did then successfully instal ccleaner 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...