Applies to: Centrify Identity Service, App/App+ Edition
Centrify Customer Advisory - Centrify Browser Extension Security Issue
Centrify is committed to protecting our customers by providing solutions that enable secure access to applications and infrastructure. Our teams became aware of a means by which use of the Centrify Browser Extension, combined with a logged in user accessing a malicious website, may lead to that site obtaining the user’s authentication token for a relying party application. Centrify has no evidence or suspicion that this attack has been used. It is out of an abundance of caution, and our goal of transparent, responsible security, that we have fixed this issue in the Centrify browser extension, version 1.139.16101, now available to all customers for immediate download.
This issue is specific to Centrify Browser Extension users only. It is highly recommended, to ensure the continued security of your users, that all customers upgrade to the latest version of the browser extension immediately if in use.
On October 28th 2016, Centrify became aware of a security vulnerability within the Centrify browser extension. Centrify regularly undergoes security audits and reviews from a variety of vendors with an eye toward finding such issues. We are confident that this helps us provide the high level of security and service we know our customers expect. A dedicated audit focused on this issue and the Centrify Browser Extension specifically will be undertaken due to the discovery of this issue.
This issue has been addressed in Centrify Browser Extension version 1.139.16101. It is highly recommended that all customers upgrade to the latest version of the browser extension immediately.
Viewing installed Browser Extension version
The Centrify Browser Extension version is displayed from within the browser add-in management interface. Refer to your specific browser documentation for more information.
Browser Extension Installation
Users can install the Centrify browser extension using one of the following self-service options:
Administrators can deploy the Centrify browser extension using one of the following options: Note: the individual download links and the browser extension
- The user portal displays a banner on the Apps page above the application icons that has a link the user can click to initiate installation.
- The first time a user opens an application that requires the browser extension, the user portal opens a pop-up that prompts the user to initiate the installation.
- The systems administrator sends the below link for installing the browser extension directly to users. When users click the link, the installer identifies the user’s default browser and installs the corresponding extension.
files for Chrome, Firefox, Safari, and Internet Explorer are provided via the Downloads item in the account name drop down menu in Cloud Manager.
Thank you for being a Centrify customer and working with us to enact these changes for your security. If you have any questions or concerns, please open a case with Centrify Support. We are available to assist during this transition in every wayFor additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Customer Support Portal at https://www.centrify.com/support/customer-support-portal/