A "free update is required for Acronis True Image..."
I received an email message today showing a from address of noreply@sender.acronis.online. The message explained to me that a "free mandatory software update for Acronis True Image" was available. The message continued:
"We highly recommend that you install this update before February 2022. Doing so will not only enhance your security, but is also necessary for all product features that use the Acronis Cloud to continue working properly. If you choose not to update your software, certain functionalities will be unavailable beginning in February."
The message contained a link to where I can download the "installer" of the free update. The link is to a page on the link.acronis.online site.
I verified that my copy of Acronis Cyber Protect Home Office, build 39703, is the latest build available. I therefore conclude the email message is a fraud. The message is very slickly produced and looks genuine except for the implausibility of there being a "required" update that I must install before next Tuesday when I'm only hearing about it now. There are also subtle grammatical errors in the message, although they are minor enough that a native speaker could make them.
I want to draw attention to this issue. I'm concerned that someone seems to know that I'm a customer of Acronis's products and what email address I am using with Acronis. Could it be that Acronis has some sort of data breach? Has anyone else received an email message like this? Who should I contact to follow up with the proper Acronis authorities?
Thanks!
In case the message is legitimate, I should note that I was a user of Acronis True Image but, of course, that name got changed. I don't know if this message is supposed to be for people who are still using True Image... maybe?
Do you use Windows or Mac?
Do you use one of the following products?
- True Image 2017
- True Image 2018
- True Image 2019
- True Image 2020
- True Image 2021
Or are you using the new "Cyber Protect Home Office"?
I know it's unfortunate and inconvenient that True Image 2021 has been renamed to Cyber Protect Home Office, but I think it should still say "True Image 2021" in the title bar of the program window if this is what you're using. The name change is mainly seen in marketing materials and on forums, not on the product itself, unless you have very recently purchased one called "Cyber Protect Home Office".
Did it mention build 39703 specifically or any other build number?
I have not received any such e-mail. But I usually reject most such e-mails... newsletters, updates and so on.
I have not read the linked KB article in full, but this seems to be related to the topic I started about the release notes for build 39287 for Windows.
https://forum.acronis.com/forum/acronis-cyber-protect-home-office-forum…
I just wanted to pop in and say I also assumed that the email was a fraud. It's very odd to me that I'd get an unsolicited email telling me to click on a link to update my software (which of course one should never do anyway) when the software is perfectly capable of letting me know that updates are available to install. That email just has all the hallmarks of a very well done fraudulent email/fishing attempt.
The knowledge base article does not specifically reference the Cyber Protect Home Office product which makes me think it might not reference my product. I do think however it would make a lot of sense for Acronis to make it clear in the article that the update does NOT reference the Cyber Protec Home Office product, assuming that is the case, given the fact that I was sent the (apparently legitimate) email telling me to update even though it appears that I don't need to and the email seems to imply that it needs to be done for pretty much every version of the product (accept apparently mine).
I'm just going to assume that the email, if legitimate, doesn't reference my product. I've verified through my account page that I have the most current build (build 39703) and so I'm going to hope I don't need to do the update. Of course, that is the hope given that I do backup some of my info to Acronis Cloud.
Acronis should have done a better job of making sure that Cyber Protect Home Office product users understand they are not impacted by this update. Or better yet just not send those users the email in the first place....
Thanks for the comments. The product I'm using calls itself "Acronis Cyber Protect Home Office" build 39703 (for Windows). That name ("Acronis Cyber Protect Home Office") is in the title bar, on the splash screen, and everywhere else a name is shown that I can see.
When I first purchased the product, it was called "True Image." That was last year (2021). Shortly after I purchased it, I received notification about the name change and was offered an update to reflect that change. I downloaded and installed the update. I believe that's what I'm using now. However, that was months ago. I'm given to understand that the email message I received is a reminder for the update that I already applied way back in the past. That might be why it confused me so much. Also receiving an update reminder for a *mandatory* update only one business day before my "current" version will stop working smells like a fraud, even if it isn't. I would have expected more lead time on the reminder message.
Anna said, "... encourage all users to update the software to the latest builds that were recently released to cover security requirements." By "recently released" do you mean last October? It looks like build 39703 was released on October 25, 2021. I wouldn't consider that "recent," but I suppose it's a matter of perspective.
Anyway, what I'm running now claims to be the latest build, so I guess I'm all set!
Thanks again.
Peter, there has not been any recent new build updates for ACPHO after #39703 to date so you are already at the latest one.
The email notification wasn't very well worded and has caused some confusion among other users too, especially given that Acronis has updated versions from ATI 2017 through 2021 over the past several weeks with these 'mandatory' new updates but haven't done the same for any versions that are older than that such as 2016 and earlier that some users are still using.
The focus of the security updates here is related to access to the Acronis Cloud servers and the Online Dashboard, suggesting that any users with a version before ATI 2017 will lose the ability to sign in with their Acronis Account credentials or use the Acronis Cloud / Dashboard should they be in a position to do so.
Regarding ACPHO, that version is subscription only thus if you do not maintain your subscription then it will stop working for all major functions apart for recovery of existing backups if stored locally. If ACPHO also needs a new build for the security changes indicated in the emails, then I am sure that it will be forthcoming soon!
Hello! I tried to mark Steve Smith's message as the solution to my question, but nothing seemed to happen when I did that, so I'm not sure if it "took." (I'm using MS Edge on Windows 11).
I want to thank all who replied to my original message. To summarize, it sounds like I'm fine with what I have for now. I do agree that Acronis should be very careful with unsolicited email messages. My guess is that their customer base is more sensitive to security issues than average and will scrutinize unsolicited email with a fine-toothed comb. The trigger points for me were:
1. The timing. I received the message on January 28 (Friday) and was told I needed to install an updated version of the software "by February" (so February 1... the following Tuesday). I feel like a legitimate message would have come with more lead time.
2. The large button in the message for downloading the installer. I agree with Paul that the product itself should inform users about updates. I certainly wasn't going to use a link in an unsolicited email. I did visit the Acronis web site, but information about the update wasn't easy to find there.
3. The use of the word "functionalities" in the email message. I did some research online, for example, at the English StackOverflow site, about this usage. Apparently in American English one typically refers to the set of functions of a system by just using "functionality." That is, we speak of the functionality of a single system, reserving "functionalities" for when talking about a group of unrelated systems. However, I learned that using "functionalities" for a single system is common in non-American English, suggesting that the message might have been written by a non-native speaker (or at least a non-American speaker). I'm sure Acronis has many non-American employees, but that, coupled with the other points, just added to the overall look of it being a fraudulent message.
I am using Acronis True Image for Western Digital 2021, which is supported by Western Digital. All updates appear via Western Digital, not from Acronis.This version can upload to the cloud for backups. To add to the confusion, this version is not mentioned at in the email, nor is there any mention of this urgent update on the Western Digital Support Website. Not sure what to do here.
I also have ATI 2019 on another computer but do not use cloud backups, and do not intend to. Do I nonetheless need to update ATI 2019 to keep access to my dashboard?
Thanks,
Greg
I received the same vaguely worded email, and assumed it was corporate double-speak to trick any holdouts still using ATI into converting to ACPHO.
J K wrote:I received the same vaguely worded email, and assumed it was corporate double-speak to trick any holdouts still using ATI into converting to ACPHO.
That may be a hidden motive but not one that is declared in the documentation which is speaking only of Acronis strengthening security for their Cloud and Dashboard services / servers.
From Acronis in other forum posts:
Acronis Knowledge Base article:
https://kb.acronis.com/content/69830.
Versions 2017-2021 have new builds released containing necessary security updates.
Same notification message is now published at Acronis support page: https://www.acronis.com/en-us/support/.
After receiving criticism, they have further clarified what protocols have been improved as well as what products are unaffected by this.
In the KB article, they now write:
TLS is a cryptographic protocol that provide authentication and data encryption between different endpoints, e.g. between Acronis True Image and Acronis servers (both for storing backups in Acronis Cloud and for activation, registration and sync via internet). As of February 2022, Acronis cloud infrastructure supports TLS 1.0, TLS 1.1 and TLS 1.2 protocols.
Acronis cloud data centers are built to provide the highest levels of safety, security, and accessibility. To ensure that these standards are maintained, Acronis commits to use TLS 1.2 security protocol for network communications.
Security protocols are like software; they require continuous updates and enhancements. Which is why we are shipping free mandatory software updates to Acronis True Image (versions 2017-2021) that enable the use of TLS 1.2 in older versions of Acronis True Image, to make certain that you are protected by the strongest algorithms and ciphers.
Acronis Cyber Protect Home Office supports TLS 1.2 starting from the release version. Current enterprise and MSP Acronis solutions, such as Acronis Cyber Protect and Acronis Cyber Protect Cloud always use TLS 1.2.
They make it clear now that Acronis Cyber Protect Home Office is unaffected by this.
They have also updated the security advisory page I linked to previously (see the link in my previous post), so that it now lists the advisories (bugs).
SEC-3359 – published 7 days ago
Local privilege escalation due to unrestricted loading of unsigned libraries
high severity CVE-2022-24115 @vkas-afkSEC-3316 – published 7 days ago
Local privilege escalation due to race condition on application startup
high severity CVE-2022-24114 @vkas-afkSEC-3059 – published 7 days ago
Local privilege escalation due to DLL hijacking vulnerability
high severity CVE-2021-44205 @xdanes09SEC-3058 – published 7 days ago
Local privilege escalation due to DLL hijacking vulnerability in Acronis Media Builder service
high severity CVE-2021-44206 @xdanes09SEC-2881 – published 7 days ago
Local privilege escalation due to excessive permissions assigned to child processes
high severity CVE-2022-24113 @penroseSEC-2355 – published 7 days ago
Local privilege escalation via named pipe due to improper access control checks
medium severity CVE-2021-44204 @xnand
Thank you Acronis! I am happy with the way you have responded. In the future, try to publish these along with the updates. Also, try not to send mass e-mails about software updates. You can use the program itself for that. Or if you must send e-mails, try to target only those users that are using the affected products to avoid unnecessary confusion. Surely, you must be able to tell who is using what product.