IPVanish engineers have released a fix to our macOS app 3 days after a security research company highlighted an issue affecting the OpenVPN protocol within the application.
The issue only occurred under specific circumstances. An affected individual would first need to have their device compromised by malicious software or accessed physically by an attacker. In addition, the targeted individual would need to have installed the IPVanish macOS software and manually changed the protocol from the default WireGuard® protocol to OpenVPN.
The issue has been resolved in version 4.10.3 of the IPVanish macOS desktop app (Beta users received the fix in version 5.0.1). While the scenario required multiple conditions to be met, we take any risk to user security seriously and moved quickly to address it.
We recommend all Mac users update to the latest version of our desktop app to ensure they benefit from the most secure and reliable VPN experience available.
What we fixed
With the help of security researchers, we have identified and fixed an issue with the OpenVPN privileged helper tool in our macOS Desktop software. Under certain conditions, if a user’s device had already been compromised by a hacker, either in person or by installing malicious code, this background component (only installed if the customer used the OpenVPN protocol) could have allowed an unprivileged local process to execute code with elevated permissions. That flaw could have enabled a hacker to further exploit the device.
Our latest macOS update solves this problem by changing the application flow to not accept data from any location that can be manipulated by regular users.
The updated version is now available for download, and macOS users will receive an automatic prompt within the app to install the latest version. We strongly recommend updating to the latest release to ensure you are running the most secure version of the IPVanish application.
We want to make it clear that this issue did not involve any intrusion into the IPVanish server network and did not affect the encryption or integrity of the VPN connection. An attacker could not exploit the vulnerability remotely over the internet or simply by knowing a user’s IP address. The scope of the issue was limited to the local scenario outlined above and did not affect any other customers.
How likely were you to be affected?
Based on our analysis, we believe the likelihood of real-world exploitation was extremely low. The issue required local access to the device, meaning a malicious actor would already need to have compromised the system or gained physical access. The vulnerability only affects users who have used OpenVPN within the macOS application. Since WireGuard is the default protocol for new IPVanish installations, many users would never encounter this code path. Importantly, the vulnerability does not affect the encryption used by IPVanish or the integrity of the VPN tunnel.
The issue only impacted macOS users who had met both of these criteria:
- The device had already been accessed by a hacker, either in person or by installing malicious code, and;
- The customer had installed the IPVanish macOS software and manually changed from the default protocol, WireGuard, to OpenVPN.
IPVanish’s approach to security issues
IPVanish takes all vulnerabilities very seriously. We identify issues through a combination of internal testing and ongoing monitoring, coupled with responsible disclosures from researchers and the broader security community through our Vulnerability Disclosure Program.
While these processes are designed to catch problems before release, complex software environments mean that some edge cases may only surface through real-world usage or external research.
When an issue is identified, our teams immediately assess its scope, develop a fix, and prioritize delivering that update as quickly as possible.
A word of thanks
We appreciate the work of the security research community to responsibly disclose issues that help strengthen our service. Feedback from researchers, testers, and customers plays a vital role in helping us continually improve the security and reliability of IPVanish.
