UPDATE: The list of Mac versions has been updated on 01/04 11AM UK time to reflect that one of them was shipped with Update 6.
Early this morning we informed our partners and customers that our electron windows app shipped in Update 7, version numbers 18.12.407 & 18.12.416, included a severe security issue. We since learned that Electron Mac App version numbers 18.11.1213 shipped with Update 6, and 18.12.402, 18.12.407 & 18.12.416 in Update 7 have also been affected. Fortunately, anti-virus vendors flagged the executable 3CXDesktopApp.exe and blocked it.
3CX Appoints Leading Incident & Forensics Company Mandiant
In response to this, 3CX has appointed Mandiant a renowned American cybersecurity firm and subsidiary of Google - and the market leader in threat intelligence. With their help we will be able to review this incident in full. Whilst their investigation is underway, we ask you to follow the instructions below immediately.
Ensure Your Server Has the Latest Update Installed
3CX Hosted and StartUP users do not need to update their servers as we will be updating them over the night automatically. Servers will be restarted and the new Electron App MSI/DMG will be installed on the server. We recommend that you DO NOT install or deploy the Electron App. This update is only to ensure that the trojan has been removed from the 3CX Server where Desktop Apps are stored and in case any users decide to deploy the app anyway. During the restart there might be disruption for a few minutes while we restart your server.
Self-Hosted and On-Premise - Install update
For Self-Hosted and On-Premise follow these steps:
- Launch Management Console
- Go to Updates
- Download Mac Desktop App - 18.12.422
- Download Windows Desktop App - 18.12.422
Uninstall the Electron App On the Clients / Desktops
Follow these steps to uninstall the Electron App for Mac or Windows
For Windows:
- Start
- Type “Control Panel”, Enter
- Select “Programs and Features”
- Find 3CX Desktop App, select and press “Uninstall”.
On Mac:
- Go to “Applications”
- Tap on “3CX Desktop APP”
- Right click then “Move to Bin”
- Ensure that it isn’t also present on Desktop otherwise delete it from there as well.
- Empty the Bin
Use PWA instead of the Electron APP - Here's how
- Login to the Web Client
- You have two options:
- Click on the OS icon below the user avatar. A new dialog will open, select “Web App (PWA)” and then hit the “Install” button.
- OR click on the “Install button” (A screen with an arrow) located in the address bar and confirm. See the icon circled red in the screenshot.
- To set the app to auto start:
- On Google Chrome: Open your Chrome browser and type ‘chrome://apps’ into the address bar. Right click on “3CX” and enable “Start app when you sign in”.
- On Microsoft Edge: On Edge, select to Auto-start in the dialog that appears after installation.
PWA only works on Google Chrome and Microsoft Edge - not on Safari or Firefox
You can read more in the Web Client user manual.
Avoid Using the Electron App Unless Absolutely Essential
In a day or two from now, we will have another Electron App rebuilt from the ground up with a new signed certificate. This is expected to be completely secure. We strongly recommend that you avoid using the Electron App unless there is absolutely no alternative. The Electron App update that we are releasing today is considered to be secure but there is no guarantee given that we only had 24 hours to make the necessary adjustments.
More Information to Come - Transparency Assured
We are still working to decipher the full extent of the attack and we promise full transparency as soon as we are clear on everything. We don’t want to jump the gun and make wrong assumptions. Please follow our forum and blog as well as our LinkedIn, Twitter, Facebook and Instagram pages as we’ll continue to update our customers and partners regularly.
Our Continued and Very Sincere Apologies
We continue to offer our very sincere apologies to all our partners and customers worldwide. The entire 3CX team continues to work around the clock.