Statement on CVE 2020-13699

2»

Comments

  • Kokek
    Kokek Posts: 1

    And when you press update on a versio  12 host it installs a version 15 and kills your licence. Just another little thing that annoys costumers. And now we(it admins) need to update over 300 hosts manually because you cant make your software look for updates just for the version 12.

    Terrible and annoying

  • Sascha2
    Sascha2 Posts: 8 ✭✭

    @Kokek wrote:

    And when you press update on a versio  12 host it installs a version 15 and kills your licence. Just another little thing that annoys costumers. And now we(it admins) need to update over 300 hosts manually because you cant make your software look for updates just for the version 12.

    Terrible and annoying


    dont want to blame you but if you have to manage 300 hosts and you are doing updates manually you are doing something wrong. just my 2 cents..

    and yes updating TV manually over built in update feature is not the proper way in your case. why dont you take the latest version 12  and install it?

  • Esther
    Esther Posts: 4,052 Former Community Manager

    @techmavcr You can update your current installation e.g. via Help --> Check for new version or you can download and install the new version from our download page.

    @No-2 It impacts modules using the installer. That means the TeamViewer Host and the full version.

    @Kokek If you do not have the auto-update activated and you are manually updating the software, TeamViewer will offer you:

    • the latest version of your current main version (e.g. TeamViewer 12) or
    • and update to the latest TeamViewer version available 

    As an example: 

    2020-08-11 09_36_15-v12_2.png

    (Please know you will need to make two updates if you want to switch to TeamViewer in version 15.8.3 via 15.2.2756.)

    In case you have the auto-update activated and the module updated itself already on the latest release, it will only offer you the update to the latest version available (TeamViewer in version 15).

    One more comment: Please check under Extras --> Options --> Adanced --> under General advanced settings --> Install new versions automatically.what setting is chosen.

    You might want to have All updates within this major version instead of All updates

    2020-08-11 09_35_53-v12.png

     

    You can also deploy TeamViewer via the MSI package to your team members (Corporate license is required).

    I hope this info helps you.

    Best, Esther

    Former Community Manager

  • mLipok
    mLipok Posts: 781 ⭐Star⭐

    @Sascha2 wrote:

    dont want to blame you but if you have to manage 300 hosts and you are doing updates manually you are doing something wrong. just my 2 cents.


    If you have 300 different clients == 300 different hosts (on different/distant Windows Server) which are not connected together because their are property of different clients.
    How do you want to automatically update TeamViewer host on them without loging to them ?

    EDIT:
    this question is purely technical ... no malice ... i just wanna know.

    Regards,
    mLipok , AutoIt MVP
  • Sascha2
    Sascha2 Posts: 8 ✭✭


    If you have 300 different clients == 300 different hosts (on different/distant Windows Server) which are not connected together because their are property of different clients.
    How do you want to automatically update TeamViewer host on them without loging to them ?

    EDIT:
    this question is purely technical ... no malice ... i just wanna know.

    Edit:

    ah ok, may i got it now - 300 different customers on 300 devices ok thats a challenge

  • mLipok
    mLipok Posts: 781 ⭐Star⭐

    maybe somebody from TeamViewer Team have any idea if it is possible to automaticaly update TV Host in such case ?
    Maybe by command line I can force TeamViewer to update ?

    This will give me a change to add task to task scheduler.

    Regards,
    mLipok , AutoIt MVP
  • danny4
    danny4 Posts: 1

    Do i also need to update the quicksupport executable?

  • techmavcr
    techmavcr Posts: 3 ✭✭

    @Esther in can't install v15 because that will kill my license, my license is V9.

  • agazpar
    agazpar Posts: 1

    Where i can download the update for the version 9.0.258860, because in the link https://www.teamviewer.com/en/download/previous-versions/ does not show the verion 9.

  • Fiona_G
    Fiona_G Posts: 689 Staff member 🤠

    Hi @agazpar,

    We are sorry for the inconvenience caused.

    To download TeamViewer 9, please scroll down to the bottom on the page and click Need an earlier version or directly from Download TeamViewer 8 and 9.2020-08-12 12_58_43-Previous versions of TeamViewer _ 14 - 13 - 12 - 11 - 10.pngI hope this information would be helpful.

    Kind regards,

    Fiona

     

    Fiona_G
  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi @mLipok @Sascha2 

    First of all, as you already know, there is no build-in feature for this.

    Also, TeamViewer does not officially support such a deployment. However, I talked to our engineers, and they mentioned a work-around. 

    Please know, that 

    • we do not recommend doing this and 
    • we do not support this and 
    • in case of any issues, our support can and will not be able to assist you

    If you still want to give it a try: you could set the registry values for the autoupdate

    UpdateCheckInterval=3

    UpdateChannel=2 

    Please keep in mind that 

    • the MSI will not make any updates regardless of the registry value you entered
    • It may talk a while until the next update will be started
    • the TeamViewer service must be restarted for the changes to take effect in the registry.

    One important thing I´d like to mention is that the best way is to activate the auto-update within this major version for all your installations.

    Thanks and best,

    Esther

    Former Community Manager

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi @danny4  

    Every QuickSupport downloaded now from our website, or the customized links will be on the latest version automatically. There is no need to update them proactively.

     

    Hi @techmavcr 

    We released an update for TeamViewer 9 as well.

    Please find it here: Download TeamViewer 8 and 9 (This version will work with your license for TeamViewer 9).

    I posted the Change log here: [Windows] v9.0.258860 - Change Log

     

    Hi @agazpar 

    As @Fiona_G already mentioned, you can find the downloads for TeamViewer 8 and 9 in our Community Download TeamViewer 8 and 9 

    Thanks and best,

    Esther

    Former Community Manager

  • mLipok
    mLipok Posts: 781 ⭐Star⭐

    @Esther wrote:

    Hi @mLipok @Sascha2 

    First of all, as you already know, there is no build-in feature for this.

    Also, TeamViewer does not officially support such a deployment. However, I talked to our engineers, and they mentioned a work-around. 

    .....


    thank you for this information

    Of course I suppose that there is no built in feature, and chcecked it twice.
    But was wondering if this is possible.

    I will try this workaround ASAP.

    Regards,
    mLipok , AutoIt MVP
  • davidvr
    davidvr Posts: 2

    To my knowledge, the Host module has never had URI handling built into it because it never was able to launch a session. Please explain how that would be affected. 

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi @davidvr 

    Thanks for your question.

    Yes - it is correct that Host modules cannot launch a session, however - the URI handler is part of the installer and as the Host module is installed it is in there.

    Hope that helps,

    Esther

    Former Community Manager

  • davidvr
    davidvr Posts: 2

    I'm afraid that is not a very clear answer.

    The URI is how the exploit is executed, and if I understand your answer,  the code is there but not actually activated in the host module. That would lead me to believe that after the host module is installed, there is no way to craft a webpage that would utilize the host module to get the system account credentials which is the main concern around this CVE. 

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi @davidvr 

    The CVE describes one of the possible scenarios - you could call it the worst-case scenario but with the update, we also fixed other scenarios that could happen.

    Best, Esther

    Former Community Manager

  • A2theB
    A2theB Posts: 1

    Why would the MSI version not be configurable for auto-update?  That's the main benefit of using an MSI is you can deploy it to a lot of machines in an automated fashion.  I would think that being able to setup auto-updates for the MSI version would be strongly desired by many and is a sure miss here by the TeamViewer team.

  • Sascha2
    Sascha2 Posts: 8 ✭✭

    @A2theB wrote:

    I would think that being able to setup auto-updates for the MSI version would be strongly desired by many and is a sure miss here by the TeamViewer team.


    not for me, one of the first things i want to disable is the update notification. If you use MSI for installation you mostly use some software deployment and the the last thing you want is that some program is updating itself to a non-tested version with some special updater process (which also needs admin rights)

  • chad3
    chad3 Posts: 1

    Does this vulnerbility applies to TeamViewerQS?

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi @chad3 

    It impacts modules using the installer. That means the TeamViewer Host and the full version.

    Every QuickSupport downloaded now from our website, or the customized links will be on the latest version automatically. There is no need to update them proactively.

    Thanks and best,

    Esther

     

    Former Community Manager

  • Hi @Esther,

    You mentionned that it impacts modules using the installer. Can you confirm that it does not affect at all QuickSupport version and that we don't need to update it at our customer premises because you indicate that the latest version can be downloaded from your website.

    Thanks

    JC