16.9 C
New York
Tuesday, May 11, 2021
Image default

ProtonVPN, NordVPN Patch Windows Bug

Best VPN Services

ProtonVPN and NordVPN were exposed to vulnerabilities that could have allowed hackers to execute arbitrary code with administrator privileges on computers running Windows.

The bugs, CVE-2018-3952 (affecting NordVPN) and CVE-2018-4010 (affecting ProtonVPN), were discovered by Cisco Talos security researchers and are similar to another security flaw (tracked as CVE-2018-10169) discovered in March by security consulting firm VerSprite.

By April, NordVPN and ProtonVPN had released patches to fix the original vulnerability, but it was still possible to execute code as an administrator, according to Talos, albeit through a exploit.

Best VPN Services

  • NordVPN





  • TunnelBear VPN

    TunnelBear VPN




  • Private Internet Access VPN

    Private Internet Access VPN




  • CyberGhost VPN

    CyberGhost VPN




  • IPVanish VPN

    IPVanish VPN




  • TorGuard VPN

    TorGuard VPN




  • PureVPN





  • KeepSolid VPN Unlimited

    KeepSolid VPN Unlimited




  • Golden Frog VyprVPN

    Golden Frog VyprVPN




  • Hide My Ass VPN

    Hide My Ass VPN




The initial vulnerability was due to OpenVPN being able to select a malicious file when choosing a VPN configuration, which could then give access to private information and hacking through arbitrary commands.

Both clients use OpenVPN’s open-source software to set up secure connections from one point to another. Since the service requires admin privileges to run, any code that runs also has access to these privileges. However, Cisco Talos found that by putting certain parameters in quotation marks, the bug fixes could be bypassed.

NordVPN developed a fix by August by generating OpenVPN configuration files that cannot be edited by users.


  • The Best VPN Services of 2018

    The Best VPN Services of 2018

  • Why I’m Not Choosing the Best VPN for China

    Why I’m Not Choosing the Best VPN for China

  • How To Install a VPN on a Fire TV Stick

    How To Install a VPN on a Fire TV Stick

“The vulnerability had already been fixed by the time Cisco publicly disclosed the CVE. In the beginning of August an automatic update has been pushed to all of our customers as well, so none of them should be vulnerable at the moment,” NordVPN said.

ProtonVPN’s patch was released earlier this month and changed the location of the configuration files to the installation directory, where users can’t modify it.

“Later versions of ProtonVPN have resolved this issue and users have been automatically prompted to update. We have not seen any evidence of this being exploited in the wild, as a user’s computer needs to first be compromised by a hacker before this bug can be exploited,” ProtonVPN tells ZDNet. “The fix we have implemented should eliminate all bugs of this nature. We continue to work with independent security researchers around the globe to make ProtonVPN more secure through our bug bounty program.”

Related posts

Why Internet Users Around the World Use VPNs


How Should You Evaluate VPNs? Consider These Questions


Be Careful With Free VPNs: Your Data Might Be Going to Advertisers



Leave a Comment