Security Updates

Last Updated: January 18, 2022

Hotspot Shield for Windows

Versions affected: Hotspot Shield for Windows of version 10.3.0 and earlier

Impact: A vulnerability was reported in the Hotspot Shield for Windows 10.0.1. The Hotspot Shield Service runs as SYSTEM and it writes log files into the folder with the local user permissions. Removing the folder and abusing NTFS junctions, an unprivileged user can write to any file on the file system with SYSTEM privileges.

This vulnerability has been assigned the CVE-2020-17365

Entry added: September, 18, 2020

Hotspot Shield for Windows

Versions affected: Hotspot shield for Windows 7.10 and earlier

Impact: An internal audit discovered all versions of Hotspot Shield for Windows < 7.10 contain a vulnerability that leads to information disclosure when a user visits a specific vulnerable domain. The issue was fixed by removing special treatment of these domains.

This vulnerability has been assigned the CVE-2018-17241

Entry added: September, 20, 2018

Betternet for Windows

Versions affected: Betternet for Windows <= 4.1.0.0

Impact: A vulnerability was reported in the Betternet for Windows installer that lead to arbitrary code execution provided a DLL planting attack that had already succeeded.

This vulnerability has been assigned CVE-2018-12269

Entry added: June 13, 2018

Hotspot Shield Chrome Extension

Versions affected: Hotspot Shield Chrome extension <= 3.2.14

Impact: A vulnerability was reported in the way the Chrome extension was resolving domains that lead to leaking the user’s IP address under specific conditions.

This vulnerability has been assigned CVE-2018-7878

Entry added: March 12, 2018

Hotspot Shield Chrome Extension

Version affected: Hotspot Shield Chrome extension <= 3.2.14

Impact: A vulnerability was reported in the whitelist present in the PAC script.

If a user visited a website that hosted a URL with a specific query parameter, the extension would then start proxying traffic to that URL, leading to a traffic hijack.

This vulnerability has been assigned CVE-2018-7879

Entry added: March 12, 2018

Hotspot Shield Chrome Extension

Versions affected: Hotspot Shield Chrome extension <= 3.2.14

Impact: A vulnerability was reported in the whitelist present in the PAC script.

If a user visited a specially crafted page, the request would bypass the VPN and the user’s real IP address would be visible.

This vulnerability has been assigned CVE-2018-7880

Entry added: March 12, 2018

AnchorFree OpenVPN SDK

Versions affected: AnchorFree OpenVPN SDK v1.3.3.218

Impact: An issue was discovered in AnchorFree OpenVPN SDK before v1.3.3.218. The VPN SDK service takes certain executable locations over a socket bound to localhost. A malicious entity binding to the socket and providing a path where a malicious executable file resides leads to executing the malicious executable file with SYSTEM privileges.

This vulnerability has been assigned CVE-2020-12828

Entry added: March 13, 2020