Server Maintenance

Thank you for using EmEditor.

Today, we will begin switching our server host to a more secure and fast platform, and the transition might take several days.  For this reason, connections to our server and the SSL encryption might be temporarily disrupted.  Please refrain from posting new messages to our forums until our transfer is completed.  There is no effect on the access to Emurasoft Customer Center https://www.emurasoft.com/support/ https://support.emeditor.com/ and EmEditor updates using the Update Checker.

Thanks for your patience.

Please update to a newest version

This is an important security message.

We notice that many customers still use EmEditor v14.5.3 (or older). The updater in the old versions of EmEditor contained security vulnerability. For the safety of our customers, the updater in the older versions had been disabled since we removed the update configuration files in our server in response to the security incident. Although this incident was resolved, it is still potentially unsafe to continue using the old versions of EmEditor (from v10.0 through v14.5.3). The new versions of EmEditor (v14.5.4 or newer) is safe because it uses the improved updater which will not run an installer if the digital signature of the installer mismatches our signature.

If you are still using an old version of EmEditor (from v10.0 through v14.5.3), please download the newest version from our download page and install.

If you have not installed v14 before, you might need a v14 registration key. Your v14 key can be found in the Resend Keys page of Emurasoft Customer Center. Many customers already have lifetime licenses without their noticing, and so please check this page. If you don’t have a lifetime license nor a v14 key, you might need to purchase a new license.

Including this reason, if for some reasons, you can’t install the newer version, please disable the updater by selecting the Customize Update Checker on the Help menu of EmEditor.

If you have once installed a new version and want to revert to an old version, you can uninstall the new version, and then install the old version. You can find an old version in the sub folder of C:\ProgramData\Emurasoft\EmEditor\updates\update.

If you have issues with installing or uninstalling, please refer to our FAQ.

We apologize for any inconveniences. If you have any questions, please contact us using this form.

Switching to Avangate

We are excited to announce that we are switching our online payment partner to Avangate. Our customers will appreciate more features including telephone support in many counties, the ability to control the renewal option during check-out as well as the new fresh user interface. Optional Backup CD and Download Insurance Service are now unselected by default.

If you experience any issues during the checkout, please don’t hesitate to contact us. We always value your feedback.

Thank you.

 

Investigation report about the hacking incident

Yesterday, we received the final investigation report from JPCERT/Coordination Center.

How unauthorized hacking was happened

From the various remained access logs, we could not identify the cause for the unauthorized hacking. We confirmed suspicious accesses (web and ftp) from 203.194.144.#, and we confirmed traces of attack attempts in early August. However, we couldn’t identify how the hacker entered our site just by these traces. There were no successful logins from these IP addresses.

About unauthorized redirects

From the remained access logs, the following 2 accesses were considered unauthorized accesses redirected by the .htaccess that was placed by a hacker.

#.#.#.# - - [18/Aug/2014:05:41:38 -0500] "GET /pub/updates/emed64_updates_ja.txt HTTP/1.1" 200 884 "-" "AdvancedInstaller"
#.#.#.# - - [18/Aug/2014:06:19:04 -0500] "GET /pub/updates/emed64_updates_ja.txt HTTP/1.1" 200 884 "-" "AdvancedInstaller"

These accesses match with the IP addresses written in the .htaccess, the time frame when the incident happened. Also, the number of bytes written in the access log (884) was different from the number of bytes written in the other accesses in the other time frame and other IP addresses.

Usually access logs look like:

#.#.#.# - - [10/Aug/2014:03:45:09 -0500] "GET /pub/updates/emed64_updates_ja.txt HTTP/1.1" 200 855 "-" "AdvancedInstaller"

the number of bytes is 855 for this file, but the above two accesses show the number of bytes as 884 bytes.

The clients who own the above IP addresses were contacted by JPCERT/CC, and found there were no malware infections. The access logs record all accesses including merely update checking without actual installation.

Future measures

In addition to routine updates of WordPress plug-ins and themes, we periodically scan our site for malware, monitor files on the server, access logs, and block suspicious IP addresses. On August 29th, we protected the entire site of emeditor.com with SSL encrypted connections. We are also planning to move our forums to another site or an electronic mailing list for improved security.

The next version of Advanced Installer that we used to make the Update Checker will be able to block update installers without the same digital signature as ours. The future EmEditor versions will restore the Update Checker with improved security.

We apologize for any inconveniences that this situation might have caused you

See also:

Possible malware attack by EmEditor Update Checker

Possible malware attack by EmEditor Update Checker

Dear EmEditor user,

We have found malicious files were placed in a subfolder of the EmEditor website, and we estimate these files were placed by a hacker between 6:36 am and 11:20 am on August 18th in the Pacific Daylight Time (USA and Canada), or between 1:36 pm and 6:20 pm on August 18th in the UTC. If a user uses EmEditor Update Checker from one of certain IP addresses, a malicious program, not EmEditor, might have been installed. The IP addresses are:

For the following list, * represents any number between 0 and 255. All 256 numbers between 0 and 255 are IP addresses in question.

12.44.85.*
12.189.27.*
12.233.153.*
42.147.69.*
49.101.250.*
61.211.224.*
63.119.133.*
64.102.249.*
64.235.145.*
64.235.151.*
66.129.241.*
77.248.69.*
86.111.221.*
106.139.26.*
106.188.131.*
114.160.192.*
118.103.17.*
118.238.0.*
124.248.207.*
133.6.1.*
133.6.91.*
133.6.94.*
133.56.0.*
133.74.211.*
133.173.2.*
150.26.82.*
173.36.196.*
173.38.209.*
182.162.60.*
188.111.86.*
194.98.194.*
198.135.0.*
199.167.55.*
203.104.128.*
203.180.164.*
204.15.64.*
209.97.118.*
210.17.188.*
210.172.128.*
210.174.36.*
210.224.179.*
216.228.150.*
219.195.174.*

For the following list, # represents a number between 0 and 255, but only one number represents the IP address in question. To protect users’ privacy, the actual IP address is hidden by #. If your IP address is included in this list, please contact us at [email protected] with your IP address, and we will let you know your IP address is included.

12.234.38.#
61.202.251.#
101.110.12.#
101.110.14.#
101.110.15.#
101.111.185.#
108.28.100.#
117.103.185.#
118.159.230.#
118.159.235.#
124.85.138.#
126.205.203.#
133.6.76.#
153.163.255.#
180.0.96.#
180.6.227.#
202.7.107.#
202.62.253.#
206.13.28.#
210.148.24.#
210.164.30.# (2 IP addresses)
210.169.198.#
210.175.75.#
210.233.113.#
210.237.143.#
211.7.234.#

If your IP address is included in any of the above lists, and if you use the Update Checker of EmEditor during the above time frame, there is a possibility that your computer might have been infected by a virus. If so, please use anti-virus software to clean your computer.

To check your IP address, please go to www.google.com, enter “My IP”.

Currently, our server hosting company is scanning the whole website. As soon as the scan is completed, we plan to resolve the issue completely by all means.

We will keep you informed of our progress. If we cannot get access to our website, we might use Twitter, Google+, or Facebook to make announcements.

We apologize for any inconveniences that this situation might have caused you.

 

Website scans were completed and all websites are clean

Our website scans were completed, and all our websites were clean, including all of our foreign language EmEditor websites as well as Emurasoft Customer Center. This means this English website was not affected by this case.

Nevertheless, as a precaution, we recommend changing your password if you have an account in one of our sites, and please do not share the same password with Emurasoft Customer Center or any other websites.

To prevent future hacker attacks, we have tightened our security level. We no longer accept new members automatically. If you are not a member yet, and if you would like to join our forums, please contact us.

Once again, we apologize for any inconveniences.

Thank you for using EmEditor!

EmEditor foreign language websites attacked by hackers

Dear EmEditor user,

On August 12th, 2014, we discovered traces of malicious code in our Japanese EmEditor home page and Simplified Chinese EmEditor home page. Because of this, we temporarily stopped our websites, and we have been checking and cleaning up the sites. In the Japanese site, there were traces where usernames, passwords, and IP addresses of users might have been compromised.

If you have an account in the Japanese site, it is strongly recommended that you change your password. To change the password, please go to the Forums page and log into your account. After signing in, you will see a menu bar showing at the top of the webpage. Go to the top right corner of the webpage that shows your username and in the drop-down menu click “Edit My Profile” .

Currently, there is no evidence that other language sites including this English site was compromised, and there is no evidence that Emurasoft Customer Center was compromised. However, as a precaution, we strongly recommend changing your password if you have an account in these sites. If you share the same password with other websites, we also recommend changing your passwords with those sites.

We apologize for any inconveniences that this situation might have caused you. We are still scanning other language home pages. We will keep you updated if there are any progresses. Thank you.

 

Our servers are not affected by the OpenSSL security issue (the Heartbleed bug)

Many of you may have heard about the recent OpenSSL security issue dubbed “The Heartbleed Bug.” Our websites including Emurasoft Customer Center (https://support.emeditor.com/) are not affected by this vulnerability because this bug only affects a specific set of OpenSSL versions that we do not use on our servers. If you have any questions, please contact us anytime.

Thank you for using EmEditor!