Microsoft warns about two apps with incorrect root certificates

Microsoft today published a security advisory in which it warns of two applications that have accidentally installed two root certificates on users’ computers and then leaked the private keys. The mistakes make that malicious people can take advantage of unsuspecting users of the two apps.

Third parties could now extract the private keys of the two apps and use them to create fake certificates for spoof versions of legitimate websites. These are the HeadSetup and HeadSetup Pro apps from the German software developer Sennheiser. The software is specifically designed for setting up and managing softphones – software apps that allow users to make phone calls over the Internet and a computer without the need for a physical phone.

Updates coming up

The problem with the two HeatSetup apps came to light earlier this year, when the German security firm Secorvo found out that versions 7.3, 7.4 and 8.0 installed two root Certification Authority (CA) certificates in the Windows Truested Root Certificate Store of users’ computers. At the same time, the private keys were placed in the SennComCCKey.pem file.

It turned out to be very easy for attackers to analyse the files of both apps and extract the keys from them. In the case of MacOS versions, it was found that the certificates were not removed from the Trusted Root Certificate Store when an update was installed, or the program was uninstalled.

Sennheiser has already confirmed the existence of the error and removed the two apps from its website. It will be until the company releases an update later this week. HeadSetup will also look up and remove the relevant root certificates from affected systems. They will also replace the certificates with new versions that do not just leak private keys. Customers who have the Sennheiser HeadSetup software should install the updates as soon as they are available.