So, if anyone is tired of waiting for an official answer...why not just set up two computers on the same subnet with an older version running on one of them, and try the exploit and see whether it works or not, then report your findings to everyone?
Well yeah, but I can't imagine why TeamViewer doesn't do just this. It does not seem like an unreasonable expectation.
It does seem reasonable. I would say it's likely that a step like that would go against some of their internal procedures (possibly), and also they could be looking directly at source code to see any problems (not a bad idea, but slower).
Or the other possibility is that they're more worried about about 11+, and previous versions aren't a priority to them. I don't like that possibility as much, but it's a reality that this could be the case.
I would like to give you a heads-up on the process at TeamViewer in regard to this matter.
I apologize that it took a few days to post this update, but please rest assured we take this matter extremely serious and continue to review it.
Let me provide you with a Q & A about the matter. Please excuse that I am repeating some parts of what I posted earlier, but I think it is good to have a complete overview:
The permission hook exploit is a vulnerability that pertains to TeamViewer’s Windows, macOS and Linux versions and concerns TeamViewer’s set of permissions. In two different scenarios, attackers could either gain control of the victim’s mouse or switch sides to gain control of the system. However, a cybercriminal cannot randomly attack any TeamViewer installation as the exploit requires a running session.
Remote support sessions should only be conducted with trustworthy parties. Even the permission hook exploit cannot be applied without a typical social engineering scheme.
Remember big organizations do not cold call you to inform you about a potential flaw of your device. If you receive a call like that, just hang up! If you are concerned about your machine, take the initiative and have a trustworthy party look at it.
For the use within organizations, it will be helpful to remind employees that remote sessions should only be held with trustworthy parties.
In addition, users should always update their software and only download TeamViewer through the official channels.
The impact of this exploit is limited. Cybercriminals cannot just randomly attack any given TeamViewer installation. The exploit can only be applied after a legitimate TeamViewer session has been established. So even if a TeamViewer version is susceptible to this potential threat, it only becomes an issue if users join in sessions with a rogue participant. Additionally, every TeamViewer user has the ability to end the session at any time to terminate the attack.
The Proof of Concept (PoC) was first published by an external security researcher on GitHub. TeamViewer discovered the PoC in a monitoring routine that is continuously run to identify potential threats.
The exploit could be administered in a typical tech scam, and hinges on social engineering. Scammers very often have their victims connect to their – i.e. the scammer’s – computer first. From there they coax them into confirming a switch of sides so that the scammers can access the victim’s device.
With the permission hook exploit, scammers can switch sides without having the victim confirm that first. Still the victim can end the session to terminate the attack. But as has been pointed out before, there is no feasible approach to exploit this vulnerability without a social engineering scheme.
TeamViewer responded immediately to contain the threat. After TeamViewer learned about the issue on Monday, December 4, 2017, hotfixes for Windows were provided on Tuesday, December 5, 2017. macOS updates were released on Wednesday, December 6, 2017. Updates for Linux appeared on Thursday, December 7, and Friday, December 8, 2017.
Updates are available for TeamViewer versions 11-13. The vulnerability also affects the QuickSupport and Host module. Patches have been provided accordingly.
The reception of the available updates depends on the setting in the TeamViewer client. Users who have not enabled auto updates in the software will receive an in-product message that will ask them to update their client.
Users with auto updates enabled will receive the update automatically.
However, TeamViewer encourages all users to manually initiate the check for updates. Because even with the auto update enabled, delays may occur because of the frequency set for the update checks in the TeamViewer client.
This delay is due to organizational processes. We apologize for any inconvenience that may have caused.
TeamViewer will provide proper change logs that will reflect the vulnerability adequately.
The latest versions that include the hotfix – as of December 12, 2017 – are as follows:
TeamViewer 13: 13.0.5640 TeamViewer 12: 12.0.89970 TeamViewer 11: 11.0.89975
TeamViewer 13: 13.0.5693 (Host: 13.0.5641) TeamViewer 12: 12.0.90041 TeamViewer 11: 11.0.90154
Yes, the statement about the issue can be read and downloaded at:
Thank you for your patience and your understanding. In case of any further questions please feel free to post them in this thread and we will work on an answer.
All the best, Esther
That still doesn't really address the pre-11 versions.
"The impact of this exploit is limited. Cybercriminals cannot just randomly attack any given TeamViewer installation. The exploit can only be applied after a legitimate TeamViewer session has been established. "
So, had this been known in 2016, it could have been far worse. (I'm referring to this instance: https://blog.teamviewer.com/recent-cyber-attacks/). In this instance, they were randomly attacking any given TeamViewer installation using weak passwords, probably from a huge list from previously hacked sources...so if people didn't take steps to secure their accounts with 2fa, etc., there's serious potential for another attack using the password reuse thing, then firing the exploit to switch screens.
So we still need to address whether or not the older versions are affected.
Hello! We use Team Viewer ver.10.0. Does it version have this vulnerability?
It looks like you're new here. If you want to get involved, click one of these buttons!