Microsoft warns about two apps that installed root certificates then leaked the private keys

[InfoSec News <alerts () infosecnews org>]

https://www.zdnet.com/article/microsoft-warns-about-two-apps-that-installed-root-certificates-then-leaked-the-private-keys/

By Catalin Cimpanu
Zero Day
ZDNet News
November 28, 2018

Microsoft has issued a security advisory today warning that two 
applications accidentally installed two root certificates on users' 
computers, and then leaked the private keys for all.

The software developer's mistake means that malicious third-parties can 
extract the private keys from the two applications and use them to issue 
forged certificates to spoof legitimate websites and software publishers 
for years to come.

The two applications are HeadSetup and HeadSetup Pro, both developed by 
German software developer Sennheiser. The software is used to set up and 
manage softphones --software apps for making telephone calls via the 
Internet and a computer, without needing an actual physical telephone.

The issue with the two HeadSetup apps came to light earlier this year when 
German cyber-security firm Secorvo found that versions 7.3, 7.4, and 8.0 
installed two root Certification Authority (CA) certificates into the 
Windows Trusted Root Certificate Store of users' computers but also 
included the private keys for all in the SennComCCKey.pem file.

[...]



--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_