According to an announcement from Piriform today, they are the company who develops the popular and widely used Windows utility CCleaner, a version of this software that was available to users for about a month contained malicious code that would send system data about the end users machine to a third party server.
In this statement Piriform states that their parent company Avast, whom acquired Piriform back in July of this year, discovered this compromise on 12 September and that it was a sophisticated attack.
Two versions of the CCleaner software were compromised:
-- CCleaner (32-bit) Version 5.33.6162
-- CCleaner Cloud Version 1.07.3191
The 32-bit version of CCleaner was available to end users between 15 August until 12 September while the CCleaner Cloud version was accessible between 24 August until 15 September. The first clean version of CCleaner that users should now be using are Version 5.34 and 1.07.3214 respectively.
Piriform worked with US law enforcement and had this third party server shut down on the 15th of September prior to releasing details of the compromise to allow the company to complete their initial assessment of the compromise.
Throughout Piriform's blog post about this compromise the language is very consistent in how they indicated the impact of this compromise:
"We resolved this quickly and believe no harm was done to any of our users."
"The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server."
" Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done."
Now it is not surprising to see carefully selected language and phrases used throughout an announcement like this because the company has a legal position to maintain. They do admit that the compromise occurred but also want to minimize the overall impact and risk to customers.
In a second blog post with technical details of the compromise, Piriform's Vice President of Products Paul Yung, provides the following concerning the source of this malicious code and how it entered the normal release of a CCleaner update to users:
"At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing. We want to thank the Avast Threat Labs for their help and assistance with this analysis."
He also shared that the company are taking steps internally to see that such a compromise does not happen again:
"Again, we would like to apologize for any inconvenience this incident could have caused to our clients; we are taking detailed steps internally so that this does not happen again, and to ensure your security while using any of our Piriform products."
After any big breach of user data companies are going to apologize however, I find these two statements contradict each other.
In one they do not want to speculate what might have happened but in the second one they are making internal changes so it does not happen again.
Seems they may have a pretty good idea of how this all went down but are not in a position to fully stipulate those circumstances right now. I suspect that is partly related to not wanting to impact the ongoing investigation and then to also try to remain on safe legal grounds from a liability perspective.
No matter how this happened, it shows a vulnerability that exists in the relationship between users and trusted software. Personally, I am not a fan of utilities that use registry cleaning as a means to solve Windows issues - they tend to cause more harm than good in my opinion - and I have seen those results on systems I have supported in the past.
However, there are certainly a lot of users who opt to trust and use CCleaner for their own reasons. According to this deep technical analysis of the compromise of CCleaner from Talos Intelligence, Piriform claimed last November that they were adding 5 million new desktop installs of CCleaner each week.
That means this malicious code had the potential to reach more than 20 million users in the period of time the bad version of CCleaner were available for download. Talos found that the compromised updates of CCleaner were signed with a valid digital certificate which was issued to Piriform by Symantec.
Trusted software with compromised code and signed by a valid certificate is scary stuff.
For users who used the compromised version of CCleaner, you should update your software immediately to the latest version that is available from the CCleaner download page. Automatic updates should have already been triggered on your systems for both the 32-bit and cloud version of the software but checking your version number today will make sure you are fully up to date.
If your system used the compromised version of CCleaner it may actually be a smarter move to roll your system back to a date prior to the release of the versions containing the malicious code to make sure all elements of the bad code are gone. Otherwise, a complete reformat and clean install of Windows should be done to make sure your system is 100% clean from the compromised code.
Do any of you use CCleaner? What is your response to this situation with the release of a compromised update to the software? Will it change your approach to using Piriform's software?