[ Nov 29, 2018 ]
Microsoft has issued a security advisory today warning that two applications accidentally installed two root certificates on users’ computers, and then leaked the private keys for all.
The software developer’s mistake means that malicious third-parties can extract the private keys from the two applications and use them to issue forged certificates to spoof legitimate websites and software publishers for years to come.
The two applications are HeadSetup and HeadSetup Pro, both developed by German software developer Sennheiser. The software is used to set up and manage softphones –software apps for making telephone calls via the Internet and a computer, without needing an actual physical telephone.
Making matters worse, the certificates are also installed for Mac users, via HeadSetup macOS app versions, and they aren’t removed from the operating system’s Trusted Root Certificate Store during current HeadSetup updates or uninstall operations.
Cyber Security Tips:
- Customers who have installed Sennheiser HeadSetup software should update their apps when the updates become available. Users who have not installed Sennheiser HeadSetup software don’t have to take any action, but they’re still vulnerable to attacks.
- Users or system administrators who can’t afford to wait until Sennheiser releases a HeadSetup update that removes the offending certificates can check the Secorvo report, section 7.2, for instructions on how to manually remove the certificates from the Windows Trusted Root Certificate Store.