Jump to content

Required security update


Recommended Posts

  • Level 5
Posted

I just got the email, and found the announcement here:

Basically, we must accept the bugginess of the current release of Evernote in order to avoid the more dangerous bugginess of earlier releases. The reason is that, in those earlier releases "our software was occasionally sending your authentication token across the Internet using HTTP without first encrypting it." Note content and passwords are not affected only "authentication tokens," whatever those are.

The announcement goes on to say, "To protect customers, we have blocked access from older versions of Evernote for Windows and have done the same for a small number of third party applications. We have also revoked the authentication session tokens for anyone currently running a vulnerable version of our app." That sounds like I shouldn't be able to access Evernote from my Windows program; but I just made a test note and it synced fine in both directions (as tested through the Web interface). Maybe it's just a matter of time till it fails; or maybe I need to log out and back in for it to fail.

Evidently post-v.-6.7 bugginess can be avoided: "If you had previously blocked upgrades beyond version 6.7, we are providing a hotfix that you can download here: http://cdn1.evernote.com/win6/public/Evernote_6.7.6.7584.exe." I presume that will update me from v. 6.5 to 6.7, but with the HTTP issue fixed. But 6.7 has issues of its own, as I recall.

I was actually planning to update to 6.14 when it's released, since it seems to have resolved many of the issues people have identified in these forums. Guess I may be stuck with either 6.7 or 6.13 till 6.14 gets out of beta.

  • Level 5*
Posted

Just patch 6.7 for now if 6.7 is where you want to be. No other changes should be in the patch other than this security issue.

  • Level 5
Posted

I received the email notice today.

"We have fixed the issue and see that you have already updated to a safe version of Evernote Windows."

I wonder how they can see I have a safe version. I am still using version 6.6.4 (which is 12 months old).

"To ensure that your account is secure, we need you to select File > Sign out and sign back in. Please do this by August 20th, 2018, or we may log you out on your behalf."

I did the >File >Exit and logged back on with name and password. My version 6.6.4 is still running fine after logging back in. I'll continue to sit on the sidelines and watch the comments until the August 20 deadline.

  • Level 5*
Posted

Your user agent isn't a secret. I would assume they can track that with every connection and login.

  • Level 5
Posted
43 minutes ago, EdH said:

Your user agent isn't a secret. I would assume they can track that with every connection and login.

I don't understand. Evernote sent me an email which said I was safe: "We have fixed the issue and see that you have already updated to a safe version of Evernote Windows."

 

  • Level 5*
Posted
3 minutes ago, jbenson2 said:

I don't understand. Evernote sent me an email which said I was safe: "We have fixed the issue and see that you have already updated to a safe version of Evernote Windows."

 

Oh, well. There is a bug in their agent identification tool. Color me shocked.

  • Level 5
Posted
2 minutes ago, EdH said:

Oh, well. There is a bug in their agent identification tool. Color me shocked.

Thanks. Does that mean I my old version is at risk and need to upgrade to the current version? I'm sure Evernote would like everyone to use the latest version, but their email implied I was OK. I don't think they put enough thought into writing clear instructions.

Posted

Reposting this to answer everyone's questions. Evernote Team blocked Evernote versions older than 6.7.6 due to a security flaw they found. They are refusing to create patches for older versions. I'm pissed because the newer versions beyond 6.5.4 have wide GIANT ASS margins on the sides. My employees use small monitors mounted to the wall, and I have spacing constraints. The margins reserved for tables make no sense. The devs could have made a floating table toolbar instead.

Anyways. They state that they are only supporting 6.7.6 and higher due to this security flaw. However, the patch they released for 6.7.6 is broken. So, you'll have to upgrade to 6.8.7. When they fix 6.7.6, then you can jump to that. Link to 6.8.7->> https://filehippo.com/download_evernote/80354/

Posted

Looks Like they quit supporting  Server 2008 with 6.8.7

I am stuck with only 1 working version 6.7.6  for this  OS controlled environment.

Yeesh!  

Posted
2 hours ago, Mike. said:

Reposting this to answer everyone's questions. Evernote Team blocked Evernote versions older than 6.7.6 due to a security flaw they found. They are refusing to create patches for older versions. I'm pissed because the newer versions beyond 6.5.4 have wide GIANT ASS margins on the sides. My employees use small monitors mounted to the wall, and I have spacing constraints. The margins reserved for tables make no sense. The devs could have made a floating table toolbar instead.

Anyways. They state that they are only supporting 6.7.6 and higher due to this security flaw. However, the patch they released for 6.7.6 is broken. So, you'll have to upgrade to 6.8.7. When they fix 6.7.6, then you can jump to that. Link to 6.8.7->> https://filehippo.com/download_evernote/80354/

Error. Post to remove

Posted
12 hours ago, EdH said:

Ignore the email. Do what this thread says. Do not assume you are ok if you are below 6.8.

Cannot download the Hotfix Exe file from that link.

I wanna stay on 6.7 if I can. Any luck downloading the file? This is what I get:

image.png.bf85a874e268a351dc1bfec2936e238e.png

  • Ex Employees
Posted
2 hours ago, sunvalley said:

Very disappointed with this forced upgrade to later versions I don't want. Oh and the posted link for the Hotfix is incorrect as well.

The Hotfix has a period at the end that you need to remove. The link below is exactly the same without the period.

http://cdn1.evernote.com/win6/public/Evernote_6.7.6.7584.exe

 

 

Thanks for the callout. It's fixed now. Sorry about that!

  • Level 5*
Posted

Apparently they are taking this very seriously, as they should. I just got a phone call from Evernote to be sure to update. Of course, I am on 6.14.something so I have the update, but they want every customer updating, enough to spend money to have people make phone calls. Well done I say. 

Posted
1 hour ago, EdH said:

Apparently they are taking this very seriously, as they should. I just got a phone call from Evernote to be sure to update. Of course, I am on 6.14.something so I have the update, but they want every customer updating, enough to spend money to have people make phone calls. Well done I say. 

Phone call huh?! Impressive...most impressive. Looks like they are taking it seriously.

Posted
4 hours ago, Austin G said:

Thanks for the callout. It's fixed now. Sorry about that!

That broken link cost me an upgrade to 6.13....followed by aggravation and disappointment....followed by uninstall....followed by reinstall of 6.7 and redownloading of 14K notes. :) 

No complaining though, I am back operational with my 6.7 which works nicely for me.

Happy Friday!

Posted

Holy moly, I thought I'd give in and see what the latest version offers.  I had an afternoon recording lockups and broken features by hand with pen/paper because... 6.13 EN was practically unusable and inaccessible since it was in lockup state a lot of the time.

Last night, when I first found myself locked out, I thought a lot of the alarmed user feedback was a bit aggressive, but it turns out that some of those users have been following along for the past year or so, while I've been living under a rock in relative bliss with 6.5.4.

After my experience today with 6.13, I'm becoming a little concerned - is anyone paying attention to the product, or are these updates just being shoved out to the public without testing?  Seriously, I can't have this.  I need my searches and EN operation to be fast, responsive and reliable, and I need EN to not lockup regularly, requiring force close.  13 is a p.o.s.  I'm understanding now why other users are so frustrated and vocal in their feedback.  Who releases software like this as a finished version?  This is early stage BETA behavior.  That's not what I'm paying for.  Give me back 6.5.4, or give me a product that works.  Ridiculous.  Who's in charge of this #$%* show and how is this acceptable?  I've trusted and evangelized EN for years.

You guys gotta fix this.

  • Level 5*
Posted
8 hours ago, AndreasM said:

BOYCOTT NEW VERSIONS ON ANY DEVICE!!!!

I completely support your right to not install software or upgrades on your devices.

  • Level 5*
Posted
17 hours ago, msgvb said:

You guys gotta fix this.

In the meantime you can try the 6.7.6 version.  Not saying things don't need to be fixed for sure, just it seems to be an option that is working for others.  Last version prior to the attack of the bugs.

 

Posted
7 hours ago, CalS said:

In the meantime you can try the 6.7.6 version.  Not saying things don't need to be fixed for sure, just it seems to be an option that is working for others.  Last version prior to the attack of the bugs.

Yes, agreed, this is good information for anyone affected.
That's where I am right now, currently testing out both versions.
One machine has the 6.7.6 referenced in the bulletin, and the other I decided to try the latest downloadable installation, 6.13.14.

6.13.14 was so hit or miss.  I would not be able to use that in a production environment.

6.7.6, I'm messing with this afternoon on a second machine.  I did an in-place update/upgrade the other night, and it seemed mostly okay.

After the business with 6.13.14, and going through some troubleshooting basics including a fresh database rebuild locally, I decided that I also wanted to rebuild my 6.7.6 local database from a fresh online copy, too.  So I signed out, closed all Evernote applications, deleted a few files out of the user profile EN folders (specifically the .exb database file), and started up again.  It wasn't resyncing the entire database like I've seen before.  All my notes seemed to be there, but seemed to be only placeholders.  They wouldn't download until I tried to access them.  My 5 - 6GB database was only showing up as around 160kb.

I tried a few other things, but in the end figured there was something else about the configuration tied to some other files somewhere in the user profile, maybe some sync status file or log or something.  It could have been seeing the notes as synced, I don't know.

Anyway, I did a full removal using Revo Uninstaller, wiped all advanced leftovers and registry entries, rebooted, reinstalled 6.7.6, and it's syncing properly now.

I'm going to roll with 6.7.6 for a while like others, but this just doesn't make sense to me, releasing software that doesn't work properly.

I'm not sure the developers are to blame here.  I have to wonder whether this is a management thing, pushing for changes on schedules/deadlines that don't make sense.  Or changes/features that no one really cares about anyway.  If the majority of Evernote subscribers are anything like me and what I've seen of most of the community here, I don't think they're subscribing because of Evernote's attempts to offer cutting edge bells and whistles.  It's because it's pretty much the only cross-platform organization tool of its kind.  But it has to work, and has to be reliable.  I'd rather wait longer in between versions if it means I can trust that it will be a solid release.  I mean, jeez, come on, I've been running 6.5.4 for a year and a half and not thinking twice about it!

Change for a reason is good.
Change for the sake of change not good.  Especially when it breaks stuff or removes features that people have grown to count on.

And for goodness sake, can someone stop the Material Design-y web view on shared notes/URLs, please?  What a waste of space.

 

EDIT:  Okay, I gotta say, 6.7.6 is cranking so far.  After completely removing, restarting, and reinstalling, getting a full sync, I've been running some tests and so far, it's screaming fast.  I'm impressed.  Scrolling, content generation, edits, syncs, the whole bit.  Changing notes is near instantaneous.  I may play with the search as type delay option a bit.

I'm happy again.

  • Level 5*
Posted
48 minutes ago, msgvb said:

6.13.14 was so hit or miss.  I would not be able to use that in a production environment.

Any things in particular?

46 minutes ago, msgvb said:

I tried a few other things, but in the end figured there was something else about the configuration tied to some other files somewhere in the user profile, maybe some sync status file or log or something.  It could have been seeing the notes as synced, I don't know.

Hard to tell now, but perhaps Enable on demand sync was checked in Tools - Options - Synchronization. The behavior your described sounds like it.

49 minutes ago, msgvb said:

But it has to work, and has to be reliable.

Amen.

 

Posted

Okay, I gotta say, 6.7.6 is cranking so far.  After completely removing, restarting, and reinstalling, and getting a full sync, I've been running some tests, and so far, it's screaming fast.  I'm impressed.  Scrolling, content generation, edits, syncs, the whole bit.  Changing notes is near instantaneous.  I may play with the search as type delay option a bit.

I'm happy again.

Posted
5 hours ago, CalS said:

Any things in particular?

Mostly 6.13.14 was locking up a LOT.  I haven't had a chance to mess with it since wiping and resyncing the database.
Given some hiccups on another machine with 6.7.6, and the way I worked through it as noted above, and with the benefits I'm seeing now, I may try the same thing on the 6.13.14 machine before abandoning it and dropping back to 6.7.6 on that one, too.

To clarify, the difference would be to try a complete removal and reinstallation of Evernote, as opposed to an in-place upgrade from 6.5.4 to 6.13.14, with a manual database delete and rebuild afterward.

If this sort of remove/wipe/reinstall/resync is to be expected between version upgrades, it might be prudent to add a "For best results" note along with the Update Available notifications?

5 hours ago, CalS said:

Hard to tell now, but perhaps Enable on demand sync was checked in Tools - Options - Synchronization. The behavior your described sounds like it.

That's a good heads up, I didn't really quite understand the difference between instant, automatic and background, though I did check them and tried a few different things.  Didn't seem to make any difference, even with getting out and back in.  Scrolling down the note list would show Requesting...

Seemed the best course of action was the wipe, reinstall, and resync.
My database is about 5GB.  I must've had some bloat somewhere, because on one of the other machines it was showing up in Windows Explorer at 6.1GB

Anyway, as long as I don't come across any showstopping surprises as I move forward, 6.7.6 is working great.

evernote sync settings.png

  • Level 5*
Posted

@msgvb

6.13.14 is working fine for me, other than the PDF viewer and edit issues.  Things I cope with   

You might want to uncheck the Enable instant sync option.  I used it at one point but found it to not to always work the same way, ie, quickly.  So now if I want a quick sync I force one.  FWIW.  

Posted

Aht, yes, I agree, and typically do have Instant Sync disabled as well.  I think with the first version I used where it was introduced, I found that it was making my experience a bit laggy with typing and changes while it synced updates.  I think I'm usually set for 15 or 30 minutes, and Manual Sync is just a natural part of my workflow as I create and edit. 

I'll be back to working with 6.13.14 tomorrow, and will have a better sense for it then, since it will be a fresh installation and sync, and not an in-place upgrade. 

  • Level 5*
Posted
On 8/12/2018 at 9:50 AM, msgvb said:

I'll be back to working with 6.13.14 tomorrow, and will have a better sense for it then, since it will be a fresh installation and sync, and not an in-place upgrade. 

6.14 beta is out, though there isn't a forum post on it.  Supposed to have fixed the note focus issue when first click in a note with text still in the search bar.  I haven't tried it as yet.

 

Posted
On 8/11/2018 at 3:45 PM, msgvb said:

Change for a reason is good.
Change for the sake of change not good.  Especially when it breaks stuff or removes features that people have grown to count on.

Cannot disagree with this point at all.

Well put.

  • Level 5
Posted

OK, I took the deep breath and used the provided link to update to 6.7.6. It installed OK (on the second try; the first one hung up and had to be canceled, at which point I took another breath). It seems to work OK, in very brief testing. At any rate, it synced properly and promptly. I didn't have to do a whole uninstall and reboot, fortunately. The wide note margins are pointless, but don't waste so much space that it's unusable. I don't use tables much, but when I do the new options may be useful. So, moving right along....

Posted

You're updating to 6.7.6? What am I missing? The current version (I believe) is 6.13.14.7474.

 

There are so many version numbers floating around these forums it makes my little head spin. ?

Posted
4 minutes ago, Major Major said:

You're updating to 6.7.6? What am I missing? The current version (I believe) is 6.13.14.7474.

 

There are so many version numbers floating around these forums it makes my little head spin. ?

:)

I believe he was at 6.4 so he upgraded to 6.7. A lot of people now are on older versions so an upgrade does not mean to 6.13 anymore. We all are behind (!) in a sense but we are also so ahead compared to 6.13. :) 

Posted
25 minutes ago, Major Major said:

Huh?

We are behind on upgrading to 6.13 but 6.7 is so much better (ahead of) 6.13. 

  • Level 5
Posted
5 hours ago, Major Major said:

You're updating to 6.7.6? What am I missing? The current version (I believe) is 6.13.14.7474.

 

There are so many version numbers floating around these forums it makes my little head spin. ?

 

4 hours ago, TK0047 said:

We are behind on upgrading to 6.13 but 6.7 is so much better (ahead of) 6.13. 

The versions from approximately 6.8 to 6.13 have been filled with bugs in the editor, making an already very basic editor, well, sub-basic for many people (based on reports here). I have declined to update because of that, staying with the solidly reliable v. 6.5.4. But that version became unusable when it was blocked due to an obscure security error (you didn't see that, @Major Major?). The alternatives were update to 6.13, still bug-ridden by all reports here, or install a v. 6.7.6 hotfixed to prevent the security bug. I chose the latter. There have been encouraging reports about 6.14, currently in beta, and when it's released I'll probably update to it.

Notice that I have been studiously avoiding the word "upgrade," because not much about new versions of Evernote for Windows has seemed like a real upgrade for quite a long time now.

Posted

How's everyone doing after their updates?

I'm still testing two Windows machine installations, one on 6.7.6 and the other on 6.13.14.
Happy to report that both are running stably and reliably on my end.

  1. The 6.7.6 install seemed to work pretty well as an in-place upgrade
     
  2. The 6.13.14 install, also a in-place upgrade, initially, seemed to go okay, but then I started having problems with Evernote hanging up frequently.  I tried a few different things for this in order least invasive to full removal, reinstallation and full resync.

I've been using 6.13.14 this week in a production environment, and it's been running great for most of my regular use.  Fast, even.  I've not had it lock up on me once.  The only weird thing I'm seeing right now is that I'm unable to indent when using the Code Block function.

If any one is having any problems with either 6.7.6 or the latest distribution, this process is what fixed me up:

  • Make a database backup (Make sure you aren't using any local, non-synced folders.  If you are, be SURE you back these up as well.)
  • Maybe use a screen capture utility to record any program settings, like toolbar preferences, sidebar preferences, sync preferences, etc.
  • Execute a complete removal and reinstallation.
    • I used a little utility called Revo Uninstaller (there's a free version available if you want to try it out; buy it if you like it to support them)
    • Choose Advanced, and elect to delete all leftover files, registry entries, etc.
  • Reboot after this.
  • Install either 6.7.6 or the current 6.13.14 (I've found that 6.7.6 is pretty close to 6.5.4 as far as I can tell so far, with the exception of the note padding and tables; I'm sure there's more)
  • Reboot again after the installation before you log into Evernote and sync.
  • After the second reboot, log into your Evernote account, and let it sync.
  • While you're waiting, pull up your screen captures/configuration notes, and reconfigure your preferences.

This worked great for me on a 6.13.14 installation, which was just short of unusable after an in-place upgrade from 6.5.4, and left me feeling extremely frustrated for a few days when the news of the forced update first broke, and I was locked out of 6.5.4.  I may employ the Clean Install method on any new upgrades moving forward.  Both installations of Evernote seem to be running better than before, and I've done database deletes/resyncs before as general maintenance, and even as part of the troubleshooting this time around.  The R&R seems to have made the difference for me.

 

I need to read up more on the issues with 6.13.14, so I'll know what to watch out for.

 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...