Microsoft has released Security Advisory ADV180029 (Inadvertently Disclosed Digital Certificates Could Allow Spoofing) on November 27, 2018. It fixes the certificate problem caused by Sennheiser software.
Microsoft Security Advisory ADV180029
– ADV180029 | Inadvertently Disclosed Digital Certificates
Could Allow Spoofing
– Reason for Revision: Information published.
– Originally posted: November 27, 2018
– Updated: N/A
– Version: 1.0
Microsoft is publishing this advisory to notify customers of two inadvertently disclosed digital certificates that could be used to spoof content and to provide an update to the Certificate Trust List (CTL) to remove user-mode trust for the certificates. The disclosed root certificates were unrestricted and could be used to issue additional certificates for uses such as code signing and server authentication. More details are here: Certificate Management Vulnerability in Sennheiser HeadSetup and the CVE is here: CVE-2018-17612.
The certificates were inadvertently disclosed by the Sennheiser HeadSetup and HeadSetup Pro software. Customers who installed this software may be vulnerable, and should visit HeadSetup Update for an updated version of the HeadSetup & HeadSetup Pro software.
As a precaution, Microsoft has updated the Certificate Trust List to remove user-mode trust for these certificates. Customers who have not installed Sennheiser HeadSetup software have no action to take to be protected. Customers who have installed Sennheiser HeadSetup software should update that software via the links above.