[Update on April 16, 2024] Cybersecurity firm Nettitude has conducted a security audit on our Windows apps to verify the remediation of the DNS issue related to split tunneling. Learn more and read the full report.
Split tunneling is once again available to Windows users, thanks to some dedicated bug fixing by ExpressVPN’s engineers.
We’ve just released new versions of both Version 10 and Version 12 of the ExpressVPN app for Windows, to introduce new filter logic and eliminate any potential for unexpected DNS request behavior when split tunneling is activated.
We recently rolled out an update that removed split tunneling on Version 12 of our Windows app after an expert VPN reviewer reported unexpected DNS request behavior when using split tunneling. No other VPN protections, such as encryption, were affected. Although we estimated this issue to affect less than 1% of Windows users, we immediately disabled split tunneling on Version 12 while we worked on finding a solution.
The newest Windows releases (Version 12.74.0 and Version 10.51.0) are now available, and we recommend that all Windows users update their apps today.
How did we track down and eliminate the bugs?
The first step in any bug-fix process is to consistently reproduce the issue. This means not only investigating the impacted code but also ruling out any external factors that may have contributed to the bug to ensure that the full extent of the issue and its root cause are properly understood.
The issues around split tunneling were challenging to consistently reproduce. We were eventually able to pinpoint that there was not a single bug with a simple fix creating the issue, but a complex situation where specific issues and use cases converged to create a set of scenarios where DNS leaks could occur (but would not always occur).
In total, we diagnosed two separate bugs with two distinct root causes.
The first issue was introduced when we built our split-tunneling feature for Version 12 of the ExpressVPN Windows app (this issue was never present in Version 10). In every instance, the DNS cache service should have been automatically directed to use the VPN. However, when split tunneling was activated in “Only allow selected apps to use the VPN” mode, the DNS cache service was allowed to operate outside the VPN, which meant that some DNS requests might be misdirected. This has been corrected on Version 12 of the Windows app.
The second issue was caused by the presence of other VPN apps on a Windows device. When other VPN apps were installed, even if they were not in active use, it was possible for their filtering rules to affect the performance of our app. This cross-contamination only occurred when split tunneling was turned on. We improved the filtering logic to eliminate potential DNS leaks with split tunneling. This second issue had the potential to affect Version 10 and Version 12 of the ExpressVPN app for Windows, and so the fix was pushed on both versions of the Windows app.
However, this second issue only impacts Windows users who have the ExpressVPN app, have split tunneling turned on, and also have other competing VPN apps installed. All three conditions would need to be met in order for a potential leak to happen. We also know from the difficulty reproducing the issue that it only happens in some situations, even if all three conditions were met. We estimate that far less than 1% of Windows users could have been affected by the second bug.
Once the issues were properly identified and diagnosed, our engineers were able to build and merge a fix, add automatic tests, and test the new code to ensure the fix was complete.
After rigorous checking by our in-house team, we also offered the original bug reporter a chance to beta-test the fix before we released it to our users. Attila Tomaschek, the VPN expert and staff writer at tech publication CNET who reported the bug, confirmed through independent testing that our build was bug-free and ready for our Windows users.
Another word of thanks
ExpressVPN thanks everyone involved in reporting and testing this issue. We are extremely grateful to our extensive community of customers, beta testers, and experts who take the time to notify us of potential issues or suggest improvements in our products. We invite anyone interested to join our beta testing program, and we offer a generous bug bounty to security researchers who report problems, no matter how small, that allow us to make our apps safer and better for all our users around the world.
Comments
For a week it’s really slow