Viscosity or Tunnelblick security risk?

[lambrinoul 0]

I thought i had posted my last question for the day but then I came across this post on a blog which I wanted to share on this forum.

 

When either Viscosity or Tunnelblick is installed, an unprivileged user can elevate permissions to become root (the Administrator user). EDIT by Staff: only true for obsolete versions

 

http://blog.zx2c4.com/791

 

 

I would appreciate if the knowledgable staff could shed a light on the above.

[Staff 9893]

Hello,

 

the reported Tunnelblick vulnerability (affecting 3.2.8 and earlier versions) was quickly addressed already in Tunnelblick 3.3experimental, and has been ultimately fixed on Tunnelblick 3.3beta22 on 12-Sep-2012, i.e. just a few weeks after the notification. http://code.google.com/p/tunnelblick/wiki/RlsNotes

 

About Viscosity, on the very same page which you provided the link of, it is written that Jason Donenfeld reported the vulnerability to the vendor on 11-Aug-2012 and the vendor corrected it on 30-Aug-2012.

 

You should never run obsolete program versions: vulnerabilities are discovered every day and it's important to address them expeditiously.

 

Also keep your OS X up to date (although Apple is sometimes slow in addressing vulnerabilities): dozens of vulnerabilities are discovered every month. The work of those who discover vulnerabilities and notify the programmers about vulnerabilities is invaluable.

 

Kind regards