Chromium update and its impact on Invicti products

Are you currently utilizing a Windows 8 or Windows 2012 R2 server to run Invicti products? If yes, please continue reading; if not, feel free to stop here.

TL;DR

Invicti has recently implemented important updates to Chromium in order to improve the security and performance of our products. As part of this update, we have upgraded our application and agents with the latest Chromium iteration. However, it’s important to note that this update is not compatible with legacy operating systems like Windows 8 and Windows 2012 R2. This is in line with Microsoft’s decision to cease support for these platforms. If you are currently using Invicti agents on these older systems, we strongly suggest upgrading to a newer OS or disabling agent updating within Invicti. For customers using newer systems, you can expect to benefit from enhanced security measures with this upgrade.

New Chromium version

At Invicti, we prioritize the safety and reliability of our systems to provide you with the best possible experience. In line with this commitment, we’re excited to share some important updates regarding the Chromium versions used in our infrastructure and their implications for operating system compatibility.

The recent advancements in Chromium technology have led to the discovery and resolution of several critical and high-severity vulnerabilities in Chromium. It is important to update our products to keep a high-security standard.

Updating the application and agents with the latest Chromium version

To address this, we’ve taken proactive measures to update Invicti products with the latest Chromium version. This update brings numerous benefits, including enhanced security measures and improved performance. However, it also presents a challenge: the newer Chromium versions no longer support older operating systems such as Windows 8 and Windows 2012 R2. We understand that this may impact some of our customers who rely on these platforms.

Windows 8 and Windows 2012 R2 end of support

Microsoft discontinued support for Windows 8 as of January 10, 2023, and for Windows 2012 R2 as of October 10, 2023. While the loss of compatibility may pose initial obstacles, it’s crucial to view this as a necessary step toward maintaining robust security and compatibility standards.

We recognize the importance of this update and are dedicated to offering support and guidance exclusively for our products throughout the transition period.

Actions required and guidelines for incomplete server updates

If you run Invicti Agents and Auth-Verifiers on the above-mentioned (or older) servers, you need to update your systems to a later version of the corresponding OS or disable agent auto-updating in Invicti Enterprise. If you run Invicti agents on newer systems than those mentioned above, there’s no problem—Invicti Enterprise will use a newer and more secure component.

We acknowledge the considerable effort involved in upgrading your servers to a more recent version. Nevertheless, it is imperative to note that the accountability for any potential risks arising from failing to update the servers rests with you. As such, we strongly recommend that you take the necessary measures to ensure that your servers are up-to-date, as this will help to mitigate the risk of any security breaches or other related issues.

If you decide to temporarily disable the Agents’ and Auth-Verifiers’ auto-updates in lieu of updating your systems at this time, follow the steps below. Later, once you have updated your server(s), you can take the same steps to re-enable auto-updates.

IMPORTANT: If you decide to disable agent auto-updating, you will NOT receive any updates on these agents. This means the older agents will continue to work, but you will not receive any new functionality or patches from Invicti.

Invicti Enterprise On-Demand users with Internal Agents and Auth-Verifiers

This is only applicable to those Invicti Enterprise On-Demand users who use Invicti’s Internal Agents and Internal Auth-Verifiers. Follow these steps to check and disable auto-updates on both the Agents and Auth-verifiers:

1. Disable Auto-Updates for Internal Agents
   • Log in to Invicti Enterprise.
   • Go to Agents > Manage Agents
   • Find the Agents that you want to disable Auto-Updates.
   • Click Commands on the far right and select Disable Auto-Updates.
2. Disable Auto-Updates for Internal Verifiers
   • Go to Agents > Manage Verifiers.
   • Locate the Verifiers that you want to disable Auto-Updates.
   • Click Commands on the far right and select Disable Auto-Updates.

Invicti Enterprise On-Premises users

As an Invicti Enterprise On-Premises user, you have Agents, Verifiers, and the Application hosted locally. The process to disable all three is detailed below:

1. Disable Auto-Updates for Internal Agents
   • Log in to Invicti Enterprise.
   • Go to Agents > Manage Agents.
   • Find the Agents that you want to disable Auto-Updates.
   • Click Commands on the far right and select Disable Auto-Updates.
2. Disable Auto-Updates for Internal Verifiers
   • Go to Agents > Manage Verifiers
   • Locate the Verifiers that you want to disable Auto-Updates.
   • Click Commands on the far right and select Disable Auto-Updates.
3. Application Update
   • Upon receiving a notification about the 24.6 release updates scheduled for June 13th (Invicti Enterprise On-Demand and Invicti Standard) and June 27th (Invicti Enterprise On-Premises), avoid downloading the zip file for installation altogether. If it’s already downloaded, postpone the installation until after updating your servers.
   • After updating your servers, proceed to download and install the latest version of the Invicti Application. The download link will be available in the Application.