Support

No. We have discontinued support for Joomla! 2.5 in February 2015. The Joomla! security issues reported after that (October 2015, December 2015 and December 2016) are not addressed by the old versions of Admin Tools. Moreover, since we have discontinued support, we will not be backporting these features to the old versions.

Joomla! 2.5 has been end of life since December 31st, 2014. If you couldn't afford to upgrade the site in the past two years then maybe it's a site not worth maintaining and protecting. If it was you would have assessed the risk of running outdated software as far more costly than the upgrade and already upgraded the site.

My comment was meant for the client's stance against their site. I know that web professionals are always suggesting an upgrade. We've been there, done that, we know exactly what will happen when the site is not upgraded. Well, you can't fix stubborn clients but you can charge them rush fees when they decide to upgrade way too late for comfort.

You can run Admin Tools 4.0.2 on Joomla! 3.3.0 and later, including Joomla! 3.4.8. Admin Tools 4.0.2 was already preventing against the security issues fixed between November and December 2016.

Please note that the two security fixes in Joomla! 3.6.5 were mostly of the "you can hack yourself" variety. One bug had to do with the way the internal Joomla! ACL API returns values to third party extensions. That was responsibly reported through the encrypted JSST contact form and fixed by yours truly. It can only affect third party extensions in some rare circumstances.

The other bug was that you could set the Users component's options to set the default User Group to Manager, Administrator or even Super User! That would allow anyone to self register an account and immediately get backend access to your site. That was irresponsibly reported by JoomlaWorks publicly on Twitter and fixed by the JSST. Frankly, a site owner would have to be dumber than Jim Carrey's character in Dumb & Dumber to do that and isn't really a security issue. However, since it was publicly reported the JSST had to fix it and call it a "security issue".

The real problem was what was fixed over a month ago in 3.6.4. That was a nasty issue which could allow an attacker to manipulate the front-end user self-register form to create a privileged account due to the use of some legacy code in Joomla! 3. This is a security issue which probably doesn't affect Joomla! 2.5 but nobody really knows so the security advisory covers every possible Joomla! version where this code might be present: 1.6.0 to 3.6.3 inclusive. That was mostly addressed since Admin Tools 3.8. Admin Tools 4.0.2 added extra protection for another attack vector which we haven't seen in the wild, would be completely impractical (can't be automated). In any case it is a valid attack vector, however improbable, so we are defending against it too. Better be safe than sorry!

You're welcome :)