Frequently Asked Questions About the 2015-01-08 Vulnerability

On This Page
    What is the problem?
    How can I protect my computer from these vulnerabilities?
    Can Tunnelblick Updates Be Compromised by These Vulnerabilities?
    How can I update to the latest version of Tunnelblick?
    How to use Tunnelblick's built-in update function
    How to install the latest version of Tunnelblick
    What versions of Tunnelblick have known vulnerabilities?
    What version of Tunnelblick do I have?
    Am I Using a Deployed Version?
    Are there any exploits?
    Do I need to be running Tunnelblick to be vulnerable?

What is the problem?

Some versions of Tunnelblick include a version of the OpenSSL library that is vulnerable to several attacks.

For details on the vulnerabilities, see OpenSSL Security Advisory 08 Jan 2015.

How can I protect my computer from these vulnerabilities?

Update to the latest version of Tunnelblick (either the latest stable version or the latest beta version).

Can Tunnelblick Updates Be Compromised by These Vulnerabilities?

No. There is an additional protection built into the Tunnelblick update process: updates are signed with a digital signature. When you update Tunnelblick, the program checks the digital signature.

How can I update to the latest version of Tunnelblick?

You will need your computer's administrator password to update Tunnelblick.

If you have Tunnelblick 3.1 or higher, you can use Tunnelblick's built-in update function.
You can install the latest version of Tunnelblick (it will install into /Applications).

Note: Users of a Deployed version of Tunnelblick must obtain a new version of Tunnelblick from the person or organization that distributed Deployed. See How can I know if I am using a Deployed version.

How to use Tunnelblick's built-in update function

To update from Tunnelblick 3.2beta16 and higher: Launch your current version of Tunnelblick, click on the Tunnelblick icon in the menu bar, click on "VPN Details;", then click on "Preferences", then click on "Check Now" under "Updates". You'll be guided through the update process.
To update from Tunnelblick 3.2beta14 and lower, and all 3.1 versions: Launch your current version of Tunnelblick, click on the Tunnelblick icon in the menu bar, click on "Options", then click on "Check for Updates". You'll be guided through the update process.

How to install the latest version of Tunnelblick

Download the latest version from the Downloads page and double-click on the downloaded .dmg file. A new window will appear containing a Tunnelblick icon.
Control-click on the Tunnelblick icon and click "Open" to be guided through the update process.
If your old version of Tunnelblick was not installed in /Applications, you must manually remove it from your computer.

What versions of Tunnelblick have known vulnerabilities?

The following versions have this or other known vulnerabilities:

All 3.5 versions before 3.5beta04 (build 4198)
All other versions before 3.4.3 (build 4055.4198)

What version of Tunnelblick do I have?

Find Tunnelblick.app (it is usually in the /Applications folder).
Click on Tunnelblick.app to select it
Click "File", then "Get Info". A window will appear with (among other things) version information.

If there is no version information, it is Tunnelblick version 3.0b9 or earlier.

Am I Using a Deployed Version?

Note: If you try to install Tunnelblick 3.2beta22 or higher on a computer that has a Deployed version of Tunnelblick, an error message will be displayed and the installation will not be performed.

Find Tunnelblick.app (usually it is in /Applications)
Control-click on Tunnelblick.app and click on "Show Package Contents"
Double-click on "Contents"
Double-click on "Resources"

If a "Deploy" folder exists in "Resources", you are using a "Deployed" version of Tunnelblick.

Are there any exploits?

Unknown as of the date of this posting (2015-01-08).

Do I need to be running Tunnelblick to be vulnerable?

Yes.