Following the announcement from Cisco Talos that both NordVPN and ProtonVPN’s internet traffic obfuscating services were vulnerable to a newly discovered bug, both companies have come out with statements of their own to calm the fears of their users. It turns out that the respective flaws were patched out weeks ago, back when no one had heard anything about them.
The flaws in question piggybacked a patch applied by both companies to a bug discovered earlier this year. That April fix had its own flaw in it, according to ZDNet, which made it possible for a theoretical attacker to take control of the user’s system by exploiting the design of both NordVPN and ProtonVPN’s clients. Fortunately, those bugs were patched out well before the general public was made aware of them.
“The vulnerability described in their report no longer exists on our systems. When it did, it was completely undocumented and quite possibly unknown to anyone in the world,” NordVPN said on its blog. “When they discovered the CVE vulnerability in our and other VPN providers’ systems, Talos Intelligence, like all ethical security research firms, approached us with the news first before publishing it. They waited until we fixed the problem before publishing their findings to ensure that no VPN users were exposed to any additional risk.”
ProtonVPN released its own statement to ZDNet, claiming that the fix it has now implemented would eliminate all bugs of this type, but it will continue to investigate the issue to make sure.
Also of import is the fact that this particular exploit required hard access to a victim’s machine in the first place. That meant that even if this bug hadn’t been patched out, an attacker would have to have physical or remote access to the machine through a guest account or malware attack to execute the VPN exploit. As NordVPN pointed out in its blog post, if a hacker already has such access to a system, there are many other options they would have to further the attack. This exploit would merely be one extra attack vector.
With that in mind, this security breach wasn’t as damaging as some may have made out, but regardless, it’s good to see companies like NordVPN and ProtonVPN responding so swiftly to the problem.
If you want to make sure that your system is as protected as it can be, just run the updater within your VPN software to download the latest version if it hasn’t done so automatically.
For a look at some of our favorite VPNs, here’s our guide to the best.