If you are using Sennheiser HeadSetup and HeadSetup Pro software, then your computer may be at serious risk of attack. Microsoft has published an advisory under the snappily named ADV180029 — Inadvertently Disclosed Digital Certificates Could Allow Spoofing.
Let’s find out what Microsoft says about it, and then see what we can do about it.
Who found the vulnerability?
And is quite often the case, the actual vulnerability was not found by Sennheiser or even Microsoft. It was found by Secorvo Security Consulting GmbH. You can read the full report here. You can check out the details of the analysis of CVE-2018-17612 by visiting the National Vulnerability Database.
What has Microsoft said?
On the 28th November, 2018 Microsoft published this advisory:
[We are notifying] customers of two inadvertently disclosed digital certificates that could be used to spoof content and to provide an update to the Certificate Trust List (CTL) to remove user-mode trust for the certificates. The disclosed root certificates were unrestricted and could be used to issue additional certificates for uses such as code signing and server authentication.
In case you want to be secure while surfing the internet, you will need to get a full-dedicated tool to secure your network. Install now Cyberghost VPN and secure yourself. It protects your PC from attacks while browsing, masks your IP address and blocks all unwanted access.
What does this mean to users?
What this means in language that even I can understand is that Sennheiser, in a not very smart move, decided that two of its products, HeadSetup and HeadSetup Pro, would install certificates without informing the person doing the installation.
Two further errors in judgement have compounded the situation:
- The certificate was installed in the software‘s installation folder.
- The same privacy key was used for all Sennheiser installs of HeadSetup or older.
The problem is that anyone who gets hold of that privacy key now has access to the computer system Sennheiser HeadSetup and HeadSetup Pro has been installed on.
What is the solution? Download the hotfix
To be honest, I was about to write a long, and possibly incredibly boring, article about what this all means to you as a Sennheiser user. Fortunately, the company has saved us both from that potentially soul-destroying ordeal.
Sennheiser has just released an update that not only fixes the problem but also rids systems of the original certificate that could have caused the problem in the first place.
Head over to Sennheiser’s HeadSetup Pro page, and you can read all about it.
Wrapping it all up
As is always the case, make sure that you keep up-to-date with all the news about any software you use, and keep an ear to the ground for any reported vulnerabilities issues.
The best way to do that is to make sure you bookmark Windows Report, and visit us for all the news you could ever need. Plus, we write about lots of other cool stuff too!
RELATED POSTS YOU MAY WANT TO CHECK OUT: