v5.63.7540 (15 Oct 2019)
In this release we have included some important security updates and minor UI improvements and bug fixes.
General
- Users on versions v5.57 through to v5.62 have been automatically updated to the new version to take advantage of its enhanced security and improved performance. Users will not notice any change to any of their product settings and can continue to use it as normal
- Minor UI changes and bug fixes
lmacri:Does anyone have more information on the "important security update" for CCleaner v5.63.7540 mentioned in the version history at https://www.ccleaner.com/ccleaner/version-history? ...
Please see Avast employee Dave CCleaner's reply in the CCleaner thread CCleaner v5.63 "Important Security Updates" about a new signing certificate that was included with CCleaner v5.63 as a "precautionary measure" after a confirmed breach of the Avast internal network and (apparently) unsuccessful attempt to inject malware into a Cleaner installer. Further details are provided in the 21-Oct-2019 CCleaner blog CCleaner Version 5.63: Preventative Update as Part of Our Zero-Tolerance Policy Against Cybercrime.
Kudos as well to Piriform mod hazelnut for posting a link to today's Avast blog Avast Fights Off Cyber-Espionage Attempt, Abiss, which states in part:
"...After further analysis, we found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA...
...Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions.
On September 25, we halted upcoming CCleaner releases and began checking prior CCleaner releases and verified that no malicious alterations had been made. As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate. Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected..."
Users might recall a similar supply chain attack of July 2017 where an undetected Floxif trojan was successfully planted inside the CCleaner v5.33.6162 installer that was released to users and infected hundreds of thousands of 32-bit machines. See the BleepingComputer article Avast Clarifies Details Surrounding CCleaner Malware Incident for more information about this previous 2017 breach.
Does anyone have more information on the "important security update" for CCleaner v5.63.7540 mentioned in the version history at https://www.ccleaner.com/ccleaner/version-history? The official release announcement at https://forum.piriform.com/topic/55747-ccleaner-v5637540/ doesn't provide any further details.