Microsoft Security Advisory Adv180029 for Sennheiser software

[harlan4096]

Microsoft published a security advisory today under ADV180029  -- Inadvertently Disclosed Digital Certificates Could Allow Spoofing -- that warns users and administrators about two Sennheiser software programs that may have introduced vulnerabilities on Windows devices they were installed on.

The two Sennheiser products HeadSetup and HeadSetup Pro installed root certificates on systems they were installed on. Users, who had to run the installer with elevated privileges because of that, were not informed about that.

Older versions of the application placed the private key and the certificate in the installation folder which in itself is not a good practice. Sennheiser used the same private key for all software installations of Sennheiser HeadSetup 7.3 or older.

Anyone, who installed the software on a computer system or got hold of the private key, could potentially abuse it because of that. An attacker could issue certificates on the system the software is installed on.

The certificate is self-signed, marked as a CA certificate and valid until January 13, 2027 when installed. The installer "pushes the certificate into the local machine trusted root certificate store of the Windows system on which it is installed".

Full reading: https://www.ghacks.net/2018/11/28/micros...-software/