nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

This post is archived. Information may be outdated or no longer valid.

DRAFT for Vulnerability post

Esther

Hi there,

I would like to give you a heads-up on the process at TeamViewer in regard to this matter.

I apologize that it took a few days to post this update, but please rest assured we take this matter extremely serious and continue to review it.

Let me provide you with a Q & A about the matter. Please excuse that I am repeating some parts of what I posted earlier, but I think it is good to have a complete overview:

What is the permission hook exploit?

The permission hook exploit is a vulnerability that pertains to TeamViewer’s Windows, macOS and Linux versions and concerns TeamViewer’s set of permissions. In two different scenarios, attackers could either gain control of the victim’s mouse or switch sides to gain control of the system. However, a cybercriminal cannot randomly attack any TeamViewer installation as the exploit requires a running session.

What is the guidance TeamViewer can provide to address the permission hook exploit?

Remote support sessions should only be conducted with trustworthy parties. Even the permission hook exploit cannot be applied without what may be called a typical social engineering scheme.

Remember big organizations do not cold call you to inform you about a potential flaw of your device. If you receive a call like that, just hang up! If you are concerned about your machine, take the initiative and have a trustworthy party look at it.

For the use within organizations, it will be helpful to remind employees that remote sessions should only be held with trustworthy parties.

In addition, users should always update their software and only download TeamViewer through the official channels.

What is the impact of the permission hook exploit?

The impact of this exploit is limited. Cybercriminals cannot just randomly attack any given TeamViewer installation. The exploit can only be applied after a legitimate TeamViewer session has been established. So even if a TeamViewer version is susceptible to this potential threat, it only becomes an issue if users join in sessions with a rogue participant. Additionally, every TeamViewer user has the ability to end the session at any time to terminate the attack.

How did TeamViewer find out about the exploit?

The Proof of Concept (PoC) was first published by an external security researcher on GitHub. TeamViewer discovered the PoC in a monitoring routine that is continuously run to identify potential threats.

What is a typical use case for the permission hook exploit?

The exploit could be administered in a typical tech scam, and hinges on social engineering. Scammers very often have their victims connect to their – i.e. the scammer’s – computer first. From there they coax them into confirming a switch of sides so that the scammers can access the victim’s device.

With the permission hook exploit, scammers can switch sides without having the victim confirm that first. Still the victim can end the session to terminate the attack. But as has been pointed out before, there is no feasible approach to exploit this vulnerability without a social engineering scheme.

How and when did TeamViewer respond to the discovery of the vulnerability?

TeamViewer responded immediately to contain the threat. After TeamViewer learned about the issue on Monday, December 4, 2017, hotfixes for Windows were provided on Tuesday, December 5, 2017. macOS updates were released on Wednesday, December 6, 2017. Updates for Linux appeared on Thursday, December 7, and Friday, December 8, 2017.

Updates are available for TeamViewer versions 11-13. The vulnerability also affects the QuickSupport and Host module. Patches have been provided accordingly.

How can the TeamViewer software update be received?

The reception of the available updates depends on the setting in the TeamViewer client. Users who have not enabled auto updates in the software will receive an in-product message that will ask them to update their client.

Users with auto updates enabled will receive the update automatically.

However, TeamViewer encourages all users to manually initiate the check for updates. Because even with the auto update enabled, delays may occur because of the frequency set for the update checks in the TeamViewer client.

Why did the TeamViewer change logs not immediately reflect the vulnerability?

This delay is due to organizational processes. We apologize for any inconvenience that may have caused.

TeamViewer will provide proper log files that will reflect the vulnerability adequately.

The latest versions that include the hotfix – as of December 12, 2017 – are as follows:

Windows:

TeamViewer 13: 13.0.5640
TeamViewer 12: 12.0.89970
TeamViewer 11: 11.0.89975

Mac:

TeamViewer 13: 13.0.5640
TeamViewer 12: 12.0.89970
TeamViewer 11: 11.0.89975

Linux:

TeamViewer 13: 13.0.5693 (Host: 13.0.5641)
TeamViewer 12: 12.0.90041
TeamViewer 11: 11.0.90154

Is there an official statement available on the TeamViewer website?

Yes, the statement about the issue can be read and downloaded at:

https://www.teamviewer.com/en/company/press/teamviewer-releases-hotfix-for-permission-hook-vulnerability/

Thank you for your patience and your understanding. In case of any further questions please feel free to post the in this thread and we will work on an answer.

All the best, Esther

Find more posts tagged with

Comments

There are no comments yet

New feature spotlight

Learn more about the latest feature we’ve released.

Learn more

Tip of the month

Discover quick, practical tips to get more out of TeamViewer each month.

Learn more