An update on the reported vulnerability of Enpass installer

Enpass is based on the core idea of securing your data, and that makes security as one of the core pillars of not just the app, but in everything we do at Enpass. Our experienced team of product managers and developers are committed to security, and work even harder to fix any security issues or flaws at top priority whenever something comes to light.

A few days ago, such a flaw was reported by Himanshu Mehta in the Windows installer of Enpass for Windows which is based on Nullsoft Scriptable Install System (NSIS). This has been immediately fixed in the latest version – v5.3 – of Enpass for Windows.

Summary

A DLL hijacking vulnerability was detected in NSIS-based installer for Enpass that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. The vulnerability existed due to improper loading of a DLL file by EnpassSetup-5.2.1.exe (or earlier versions) which allowed an attacker to load that DLL file (through the installer) to execute arbitrary code without the user’s knowledge.

  • Affected Version: Enpass 5.2.1 or earlier, of the traditional Windows desktop app
  • Tested on: Windows 7
  • Fix: Update to Enpass 5.3.0 for Windows

Who is at risk?

You don’t have to worry if you’re running Enpass and using it, because the Enpass app is fully secure. Your passwords, and your data are always safe. The reported vulnerability was in the installer system.

If you try to install any older version of Enpass for any reason, it can still affect you. The issue was fixed in Enpass 5.3.0 by using the latest version of NSIS, so we recommend that you must upgrade to the latest version.

What should be done?

To avoid any further concern, delete all/any previous installers downloaded on your PC and/or any backups. This will help avoid any inadvertent execution of the same.