If you’ve ever worked from home for a big corporation, or subscribe to a VPN service, you may be familiar with OpenVPN. It's an open-source virtual private network protocol, which lets users route all their internet traffic through encrypted connections to a secure server on the other end.
The downside of open-source projects is that it''s potentially very easy to find vulnerabilities in them. The beauty of open-source projects is that it’s often very easy to patch them. An independent security researcher has discovered a handful of critical vulnerabilities in the OpenVPN client software, and if you use it — even occasionally — you should patch it immediately.
Guido Vranken, an independent security researcher from the Netherlands, ran an audit on OpenVPN software and didn't like what he found. He didn't take all of the credit, explaining that he used a fuzzer, an automated script that tries to create a wide variety of problems, both common and esoteric, within a program. Vranken came across seven bugs that could potentially compromise OpenVPN, as well as handful of others that could interfere with its operations in less deadly ways.
OpenVPN has already patched all of the vulnerabilities that Vranken found, as he reported them privately a few months back. To be perfectly honest, the in-depth explanations of the flaws are not terribly interesting, unless you have a pretty good working knowledge of how VPN software works.
Suffice it to say, if left unpatched, a very (very, very) sophisticated hacker could leverage OpenVPN to execute remote code on your computer. From there, he or she could install malware, draft the computer into a botnet, steal personal information or wreak other kinds of technological havoc.
Luckily, mitigating the problem is very simple. OpenVPN has already released new versions of its software. To protect yourself, all you have to do is download and install the latest release. Windows and Linux users can visit the OpenVPN downloads page, while Mac OS users should use Tunnelblick instead. Just download and install as you would any other program.
There is one bit of bad news, however: Vranken pointed out that if he was able to isolate OpenVPN flaws with a fuzzer, it’s not impossible — or even unlikely — that some highly skilled hackers or government group discovered the same thing. Vranken didn’t hazard a guess as to whether any flaws were exploited in the wild, but if you’ve used OpenVPN recently, running a virus scan couldn’t hurt.