For many, many years we have lauded the use of CCleaner to clean and optimize Windows based workstations in many different environments. Unfortunately our stance is changing today. Security researchers at Cisco Talos discovered that the 32-bit version of CCleaner 5.33 was triggering alerts on their advanced malware protection systems. They found that malware was bundled with the official CCleaner app, which millions of users had downloaded. While having the software installed doesn’t affect the system immediately (and we had it installed on a number of ours), the possible attack vector exists so that an adversary could exploit it to install other malware or ransomware on the affected system.
What is concerning about the vulnerability is that CCleaner is owned by the software security firm Avast. This certainly begs the question as to how this exploit floated by the analytics and quality control methods of the company – the malware was bundled with the official version hosted directly on the company’s servers. Inherently, this affects the trust of the consumer with the software vendor. If users cannot trust the official vendor to download updates and plug security patches, then where are they to turn?
The answer lies in open source technology.
Software teams, especially smaller ones (like perhaps the developers behind CCleaner) only have a limited set of “eyeballs” that are combing through the code to find any flaws or vulnerabilities. They have to protect their proprietary code, and thus they are “closed source.” But what happens when a software team opens up the code for all to see, contribute, and monitor on? Generally, community developers will help on software projects, and contribute their “eyeballs.” This could reduce the possible risk of software exploits being shipped with the code. That is the idea behind open source – it is crowdsourced software development.
Ultimately the point is this – while there will always be a need for proprietary software to do specialized computing tasks, not everything needs to be – and this is especially true for “commoditized” IT services such as PC optimization, antivirus or even operating systems. Lots of open source projects have a long way to maturity, but so many are available for use today – (did you know Google Chrome is based off open source)? Unfortunately for CCleaner, this incident will not bode well for their future. We will most likely be recommending a more vendor-neutral and open source product such as BleachBit, which works on multiple platforms.
If you still want to use CCleaner after this, please update to the latest version (5.34). Alternatively, you can just remove it completely to ensure there are no future risks.
We will be creating another post soon with some popular (and generally free) open source alternatives.