The recent report published by insecurity experts revealed that Apple security software is perfect for exposing Windows devices. The matter is that the software in question is able to turn over Windows PCs sold by more than 15 largest manufacturers, including Dell and Asus. It exploits Apple’s fingerprint-reading software named UPEK Protector Suite.
Four months ago, Apple spent $356,000,000 to acquire Authentek, which had obtained the abovementioned technology from privately held UPEK a few years ago. So, Apple isn’t actually responsible for creating the vulnerable software, but still keeps playing its security games, thus placing its customers at risk. The software giant has yet to acknowledge the vulnerability and educate the users how to work around it.
Basically, UPEK Protector Suite is used to log into Windows machines with the help of the owner’s unique fingerprint, so that you wouldn’t have to memorize the password. However, the insecurity experts point out that the software makes people less secure than they otherwise would be. The matter is that the program stores Windows account passwords encrypted them with a weak key, which is very easy for hackers to retrieve: the experts said it would take mere seconds. Other security consultants have also confirmed the flaw and even released open-source software which makes it really easy to exploit. The experts announced that they released the software and additional data to allow penetration testers, who are paid to penetrate the defenses of their PCs, to exploit the vulnerability.
When the software is inactive, the operating system doesn’t store account passwords unless you have manually configured automatic log in. The security experts confirmed that every version of the program UPEK Protector Suite they checked had the vulnerability.
A long list of PC makers that preinstall this software includes Asus, Acer, Dell, IBM/Lenovo, MSI, NEC, Samsung, Sony, Toshiba, and others. All of their machines are therefore vulnerable to attack from the Apple software. As for Lenovo, they have a UPEK Protector Suite under the name of ThinkVantage Fingerprint Software. Although Authentic did release a patch for the software a month ago, it was useless because it protected the passwords with encryption which was trivial to brute force.
Four months ago, Apple spent $356,000,000 to acquire Authentek, which had obtained the abovementioned technology from privately held UPEK a few years ago. So, Apple isn’t actually responsible for creating the vulnerable software, but still keeps playing its security games, thus placing its customers at risk. The software giant has yet to acknowledge the vulnerability and educate the users how to work around it.
Basically, UPEK Protector Suite is used to log into Windows machines with the help of the owner’s unique fingerprint, so that you wouldn’t have to memorize the password. However, the insecurity experts point out that the software makes people less secure than they otherwise would be. The matter is that the program stores Windows account passwords encrypted them with a weak key, which is very easy for hackers to retrieve: the experts said it would take mere seconds. Other security consultants have also confirmed the flaw and even released open-source software which makes it really easy to exploit. The experts announced that they released the software and additional data to allow penetration testers, who are paid to penetrate the defenses of their PCs, to exploit the vulnerability.
When the software is inactive, the operating system doesn’t store account passwords unless you have manually configured automatic log in. The security experts confirmed that every version of the program UPEK Protector Suite they checked had the vulnerability.
A long list of PC makers that preinstall this software includes Asus, Acer, Dell, IBM/Lenovo, MSI, NEC, Samsung, Sony, Toshiba, and others. All of their machines are therefore vulnerable to attack from the Apple software. As for Lenovo, they have a UPEK Protector Suite under the name of ThinkVantage Fingerprint Software. Although Authentic did release a patch for the software a month ago, it was useless because it protected the passwords with encryption which was trivial to brute force.
No comments:
Post a Comment