Microsoft warns about two apps that installed root certificates then leaked the private keys | ZDNet Edition: Asia Australia Europe India United Kingdom United States ZDNet around the globe: ZDNet France ZDNet Germany ZDNet Korea ZDNet Japan Search What are you looking for? Go Videos Windows 10 5G Best VPNs Cloud Security AI more TR Premium Working from Home Innovation Best Web Hosting ZDNet Recommends Tonya Hall Show Executive Guides ZDNet Academy See All Topics White Papers Downloads Reviews Galleries Videos TechRepublic Forums Newsletters All Writers Preferences Community Newsletters Log Out What are you looking for? Go Menu Videos Windows 10 5G Best VPNs Cloud Security AI TR Premium Working from Home Innovation Best Web Hosting ZDNet Recommends Tonya Hall Show Executive Guides ZDNet Academy See All Topics White Papers Downloads Reviews Galleries Videos TechRepublic Forums Preferences Community Newsletters Log Out us Asia Australia Europe India United Kingdom United States ZDNet around the globe: ZDNet France ZDNet Germany ZDNet Korea ZDNet Japan Microsoft warns about two apps that installed root certificates then leaked the private keys It's a Superfish and eDellRoot déjà vu! By Catalin Cimpanu for Zero Day | November 28, 2018 -- 02:16 GMT (18:16 PST) | Topic: Security TLS 1.3 is out: Major boost for web security Watch Now Microsoft has issued a security advisory today warning that two applications accidentally installed two root certificates on users' computers, and then leaked the private keys for all. Security Hacker leaks data of 2.28 million dating site users Cyber security 101: Protect your privacy from hackers, spies, and the government The best antivirus software and apps The best VPNs for business and home use The best security keys for two-factor authentication How ransomware could get even more disruptive in 2021 (ZDNet YouTube) Homebrew: How to install post-exploitation tools on macOS (TechRepublic) The software developer's mistake means that malicious third-parties can extract the private keys from the two applications and use them to issue forged certificates to spoof legitimate websites and software publishers for years to come. The two applications are HeadSetup and HeadSetup Pro, both developed by German software developer Sennheiser. The software is used to set up and manage softphones --software apps for making telephone calls via the Internet and a computer, without needing an actual physical telephone. Also: Quantum computing: A cheat sheet TechRepublic The issue with the two HeadSetup apps came to light earlier this year when German cyber-security firm Secorvo found that versions 7.3, 7.4, and 8.0 installed two root Certification Authority (CA) certificates into the Windows Trusted Root Certificate Store of users' computers but also included the private keys for all in the SennComCCKey.pem file. In a report published today, Secorvo researchers published proof-of-concept code showing how trivial would be for an attacker to analyze the installers for both apps and extract the private keys. Making matters worse, the certificates are also installed for Mac users, via HeadSetup macOS app versions, and they aren't removed from the operating system's Trusted Root Certificate Store during current HeadSetup updates or uninstall operations. In researchers' own words "every system on which HeadSetup [...] was installed at any time in the past [...] remains vulnerable" until users manually review the Trusted Root Certificate Store and remove the two certificates, or until the certificates expire --which could be January 13, 2027, or July 27, 2037, respectively. Sennheiser, the software vendor behind the snafu, has admitted its mistake and removed the two apps from its website's download section while they're working on an update that's scheduled for release later this week. The company says this HeadSetup will search and remove the root certificates from affected systems, and replace them with new ones that don't leak their respective private keys. Customers who have installed Sennheiser HeadSetup software should update their apps when the updates become available. Users who have not installed Sennheiser HeadSetup software don't have to take any action, but they're still vulnerable to attacks. In the meantime, Microsoft has updated the company's Certificate Trust List (CTL) to remove user-mode trust in the three certificates. This means that websites or software signed with forged certificates generated using the three offending root certificates will trigger an error for Windows users. Also: Chrome has a new way to stop Spectre hackers CNET Users or system administrators who can't afford to wait until Sennheiser releases a HeadSetup update that removes the offending certificates can check the Secorvo report, section 7.2, for instructions on how to manually remove the certificates from the Windows Trusted Root Certificate Store. Sennheiser has also published guides on removing the three certificates for Windows and macOS users. Sennheiser's snafu, tracked as CVE-2018-17612, is not the first of its kind. In 2015, Lenovo shipped laptops with a certificate that exposed its private key in a scandal that became known as Superfish. Dell did the exact same thing in 2016 in a similarly bad security incident that became known as eDellRoot. These are the worst hacks, cyberattacks,... SEE FULL GALLERY 1 - 5 of 24 NEXT PREV Related stories: German eID card system vulnerable to online identity spoofing Rowhammer attacks can now bypass ECC memory protections Most ATMs can be hacked in under 20 minutes Researchers discover seven new Meltdown and Spectre attacks HTTP-over-QUIC to be renamed HTTP/3 Hacker backdoors popular JavaScript library to steal Bitcoin funds Related Topics: Enterprise Software Security TV Data Management CXO Data Centers By Catalin Cimpanu for Zero Day | November 28, 2018 -- 02:16 GMT (18:16 PST) | Topic: Security Show Comments LOG IN TO COMMENT My Profile Log Out | Community Guidelines Join Discussion Add Your Comment Add Your Comment More from Catalin Cimpanu Security Webdev tutorials site SitePoint discloses data breach Security Google Chrome sync feature can be abused for C&C and data exfiltration Security Plex Media servers are being abused for DDoS attacks Security Google patches an actively exploited Chrome zero-day Please review our terms of service to complete your newsletter subscription. By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy. You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time. You agree to receive updates, alerts, and promotions from the CBS family of companies - including ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe at any time. By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy. Continue Newsletters See All See All Related Stories 1 of 3 Every Google Chrome user should click this button now Whether you're using Google Chrome on a Windows system or on a Mac, you should go find and click this button now. Webdev tutorials site SitePoint discloses data breach SitePoint admits data breach after one million user creds were sold on a hacking forum last December. Stop trying to take humans out of security operations The core capabilities of human beings are AI's blind spots; "humanness" is simply not yet ,or possibly ever replicable by artificial intelligence. We have yet to build an effective ... Google Chrome sync feature can be abused for C&C and data exfiltration A security researcher has found a malicious Chrome extension in the wild abusing the Chrome Sync process. Best VPN services in 2021: Safe and fast don't come free Virtual private networks aren't essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe ... Google kills The Great Suspender: here's what you should do next The Great Suspender, an extension that automatically shut down tabs you weren't using, has been blocked by Google "because it contains malware." That's left users with lost tabs ... Woman pleads guilty for using gov’t PC to steal photos of 'snitches' in Iowa The photos were shared in a group dedicated to outing “law enforcement cooperators.” Cisco warns of critical remote code execution flaws in these small business VPN routers But it's not releasing patches for some of the affected devices that reached end of life. Founder of cryptocurrency hedge funds charged over $90 million theft Clients were allegedly lied to when they queried where their funds were being invested. ZDNet Connect with us © 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use Topics Galleries Videos Sponsored Narratives Do Not Sell My Information About ZDNet Meet The Team All Authors RSS Feeds Site Map Reprint Policy Manage | Log Out Join | Log In Membership Newsletters Site Assistance ZDNet Academy TechRepublic Forums