This is a security-focused release. While there are no known security issues in Kickstart itself, we have spotted a concerning pattern of a small but not insignificant number of users misusing Kickstart against all advice and common sense. They are leaving Kickstart (with an easy-to-guess name), and an unencrypted, non-password-protected backup archive behind. Attackers take advantage of this mistake to start a restoration and take control over inadequately protected sites. We are now employing technical measures to make this pattern of misuse much harder.
Improved, custom PHAR stub for better compatibility. We identified the limitations of PHP's default PHAR stub (execution code) in real-world sites, thanks to the feedback we got from our clients. Based on that insight, we created a custom PHAR stub which addresses these limitations and allows Kickstart 9 to work exactly the same as Kickstart 8 even on more restrictive hosting environments.
Password protection. You can (optionally) protect access to Kickstart with a password. This addresses the situation where you need to leave Kickstart, and a backup archive on a server for a longer period. This may be, for example, if you expect an upgrade going wrong. This would have allowed an attacker who can successfully guess the filename of Kickstart to access it and take over your site. Applying a long, complex, randomly generated password would effectively mitigate this problem. Again, this is an optional feature. You don't have to use it, but we strongly advise you to.
Do not allow the file to be named kickstart.php (or, generally, include the terms kickstart, ks, and akeeba). This was the default in Kickstart Professional, but now it is also enforced on Kickstart Core. This prevents you from using easily guessable filenames which allow an attacker to access Kickstart, take control of the restoration, and hijack your site. We strongly recommend using this feature with a 16 to 32 character long, randomly generated filename, ideally together with password protection, for optimal security.