Sennheiser Utility for Macs and PCs Brought Down Security Flaw

Generally, we associate malware with irresponsible or unhealthy patterns of internet use, such as hacking or accessing untrustworthy websites. However, we forget that sometimes threats can arise from seemingly more reliable places, either by our mistake or by a programming failure on the other side. Here is one of those cases.

THE Sennheiser, one of the world's leading manufacturers of audio equipment, today revealed that its utility software for Macs and PCs suffered from a severe vulnerability that, in practice, allowed attackers to view "fake copies" of any security-certified site. all.

The software in question HeadSetupis a utility for users to connect their speakers or headphones to other devices once they are already connected to their Mac or PC. Sennheiser has already fixed the problem and all users should update the software immediately, but not only that: It is necessary to follow some steps, described here (PDF), to delete the certificate that was enabling the attacks. important to follow these steps same that you have used HeadSetup in the past and have already uninstalled it.

The cause of the problem is that the software installed on the Mac / PC a certificate root with a unique key, easily found in the operating system code vault. Because this same key was used in all utility installations, attackers could easily use them to recreate seemingly secure HTTPS-certified sites and steal information such as logins, passwords, and credit card numbers.

Researchers at Secorvo Digital Security Institute have proof-of-failure (PDF), perfectly recreating a Google search page with a spoofed HTTPS certificate because of Sennheiser software vulnerability:

Fake Google site after Sennheiser utility vulnerability

Yes, the German manufacturer stepped ugly Just remember that for a similar policy in 2015, Lenovo was forced to pay a $ 3.5 million fine to the US government. Users are left to follow the “cleaning” tutorial linked above and hope that this kind of neglect becomes increasingly rare after all, if we can't even trust the trusted companies, who will we trust?

via TechCrunch