Viscosity version 1.9.4 is now available for both macOS and Windows! This update is a security release and includes an important security fix for the macOS version, OpenSSL updates for both platforms, and a number of small bug fixes.
On the macOS side, a privilege escalation vulnerability has been identified that could potentially allow a local user to gain elevated privileges with a maliciously crafted update bundle. Local machine access is required, it cannot be exploited remotely, and it does not affect the security of VPN connections. However, as it potentially allows a standard user to gain admin (root) permissions, we've classified it as a high severity issue. We strongly encourage all macOS users to update to version 1.9.4 as soon as possible, particularly those in multi-user or enterprise environments. Special thanks to AfkVkas for taking a look at Viscosity and identifying this attack chain.
While the Windows version is not affected by this issue, we've taken the opportunity to perform some additional hardening of the service in this update. Both versions also include an updated version of OpenSSL and several small bug fixes.
Version 1.9.4 Mac Release Notes:
Version 1.9.4 Windows Release Notes: