Frequently Asked Questions About the 2012-09-12 Vulnerabilities
On This Page
What are the vulnerabilities?
Exploitable security problems exists in all versions of Tunnelblick earlier than version 3.3beta22. They allow an unprivileged user to gain root privileges on any macOS system that has a vulnerable version of Tunnelblick installed.
How can I protect my computer from these vulnerabilities?
Update to the latest version of Tunnelblick.
How can I update to the latest version of Tunnelblick?
You will need your computer's administrator password to update Tunnelblick.
Note: Users of a Deployed version of Tunnelblick must obtain a new version of Tunnelblick from the person or organization that distributed Deployed. See How can I know if I am using a Deployed version.
How to use Tunnelblick's built-in update function
How to install the latest version of Tunnelblick
What versions of Tunnelblick are vulnerable?
All versions of Tunnelblick earlier than version 3.3beta22 are vulnerable.
What version of Tunnelblick do I have?
If there is no version information, it is Tunnelblick version 3.0b9 or earlier.
Am I Using a Deployed Version?
Note: If you try to install Tunnelblick 3.2beta22 or higher on a computer that has a Deployed version of Tunnelblick, an error message will be displayed and the installation will not be performed.
If a "Deploy" folder exists in "Resources", you are using a "Deployed" version of Tunnelblick.
Are there any exploits?
Do I need to be running Tunnelblick to be vulnerable?
No. You need only to have Tunnelblick installed.
Are backup copies of Tunnelblick vulnerable?
Yes, if they are backups of an installed Tunnelblick.
Are copies of Tunnelblick that have not been installed vulnerable?
Are copies of a Tunnelblick disk image (.dmg file) vulnerable?
Do the vulnerabilities have anything to do with OpenVPN or OpenSSL?
No, these are vulnerabilities in Tunnelblick itself, not in OpenVPN or OpenSSL.
How were the vulnerabilities discovered?
The vulnerabilities were posted to the full-disclosure email list along with an exploit on 2012-08-11; Tunnelblick developers were not notified prior to the disclosure. A fix (Tunnelblick 3.3beta22) was released 2012-09-12.