A cybersecurity flaw found in Sennheiser headset apps has been identified and patched in the headphone manufacturer’s Headsetup and Headsetup Pro applications for both Windows and Mac desktops. A report with full details of the security vulnerability has been published by Secorvo Security Consulting and the vulnerability has been given the number CVE-2018-17612 for those who want the full details. Microsoft have also published a security advisory here.
The vulnerability was that the software downloaded both the HTTPS certificate and its secret key giving potential attackers the ability to send users to malicious websites and use the trusted Sennheiser certificate to create new certificates which are chained to the installed trusted root security certificate. Whilst this would require a fairly sophisticated attacker and users are at a low risk of being compromised, anyone with this software installed is advised to upgrade their software as soon as is practicable to remove the vulnerability.
Sennheiser has posted an update to rectify the issue by removing the certificates and keys. The software now relies on a secret key that only Sennheiser keeps.
The latest software versions are as follows:
Mac users and Windows users, that are unable to receive automatic updates from Microsoft or choose not to update their HeadSetup and HeadSetup Pro software, can find the removal instructions on these links for Macs and PCs.