Updating Your SimpleHelp Installation and Upcoming Certificate Changes
Information on why you should upgrade to newer SimpleHelp releases to protect against certificate revocation.
Antony Miguel
Information on why you should upgrade to newer SimpleHelp releases to protect against certificate revocation.
Like many remote access tools, SimpleHelp has been used by bad actors to gain unauthorised access to systems they don't own. We want to be clear: SimpleHelp has not been compromised. There is no vulnerability being exploited. The software itself is working exactly as intended. The issue is that older versions of SimpleHelp, like older versions of many remote access products, can be deployed and configured in ways that make misuse easier than it should be.
We've spent the past several releases addressing this directly.
Starting with SimpleHelp 5.5.12, SimpleHelp includes a server verification dialog that requires users to confirm which server they're connecting to before a session is established. Once a server address is approved, it enters a trusted store and won't prompt again. No configuration change can bypass this confirmation. The only way to pre-verify a trusted server is by running SimpleHelp with specific launch parameters, which requires a level of access a bad actor wouldn't typically have.
This makes it significantly harder for someone to silently deploy SimpleHelp and redirect connections without the end user's knowledge.
In SimpleHelp 6.0, we went further. We commissioned an independent security review from Agile Information Security, and incorporated their recommendations. SimpleHelp 6.0 adds technician device authorisation, remote access service approval, an application-level firewall, and a built-in security audit tool that analyses your configuration and flags potential issues. You can read the full details in our post on what's coming in v6 and why we had our code reviewed.
Both SimpleHelp 5.5.15 and 6.0 (currently in prerelease) are signed with a new code signing certificate. Once we're satisfied that our customers have had time to update, we will be revoking the certificate used by earlier versions. This means older versions of SimpleHelp will no longer be recognised as signed software and may be blocked by operating systems and security tools.
We're giving advance notice so that nobody is caught off guard. But we'd encourage you to update sooner rather than later.
Update your SimpleHelp installation to either 5.5.15 or the 6.0 beta. Both are available from the SimpleHelp Downloads page.
Updating to SimpleHelp 5.5.15 ensures you're on the new certificate and includes the latest fixes. If you want the full set of new security controls, v6.0 is the release to move to (though we recommend you wait for full release before using this version in production).
If you have any questions about the update process or the certificate change, contact us at [email protected].
