“Security consultants have independently confirmed a serious security weakness that makes it trivial for hackers with physical control of many computers sold by Dell, Acer, and at least 14 other manufacturers to quickly recover Windows account passwords,” Dan Goodin reports for Ars Technica.
“The vulnerability is contained in multiple versions of fingerprint-reading software known as UPEK Protector Suite. In July, Apple paid $356 million to buy Authentec, the Melbourne, Florida-based company that acquired the technology from privately held UPEK in 2010,” Goodin reports. “The weakness came to light no later than September, but Apple has yet to acknowledge it or warn end users how to work around it. No one has accused Apple of being responsible for the underlying design of fingerprint-reading software.”
Goodin reports, “The UPEK software has long been marketed as a secure means for logging into Windows computers using an owner’s unique fingerprint, instead of a user-memorized password. Last month, Elcomsoft, a Russia-based developer of password-cracking software, warned that the software makes users less secure than they otherwise would be because it stores Windows account passwords to the registry and encrypts them with a key that is easy for hackers to retrieve. It takes only seconds for people with the key to extract a password, company officials said.”
Read more in the full article here.
MacDailyNews Take: Windows Registry.
Damn! More bad news.
For Windows users, heh.
Sticking everything in the registry is NOT a great idea?
Someone should let the Windows developers know!
I remember when the registry first came out for Win95. Someone was trying to explain to me how wonderful it was and all I could think was WTF – this sound like a whole heap of trouble.
The intervening years have continued to support my initial reaction.
Only if you have a registry in your OS…..aka windoze.
It’s an opportunity. “Apple acquires imperfect hardware/software company. Improves product bringing new level of safety and convenience to biometric security.”
I see an even simpler solution, discontinue the Windows version of the software.
Just wait for the lawsuit train to pull out from the station – a class action suit covering tens of millions of Windows users seeking money from Apple.
There are risks to acquiring a company. Unforeseen legal liabilities are one of them.
This would be even better news if Apple decides to END of Life the windows based products and cancels all OEM agreements with respect to this hardware. Then Apple assimilates the technology into an IOS environment as a secure & fixed product leaving WinBlows users with a username & password. Do to them what Windows has always done to Mac users. Leave them hanging
Windows and security is an oxymoron and Balmer is just a moron. May he preside at the helm of the Titanic until it rests deep in the abyss. Sounds like a registry problem to me not a software design problem. If important stuff is supposed to go into the registry and its supposed to be secure then why is the developer at fault?
Should the developer have to make their own encryption method and stored it where? Thats what the registry is for. Never worked worth a damn anyway. Always hated dealing with registry errors and corruption. Shouldn’t Dell and Acer have tested this stuff? They marketed it as the ultimate in security.
man, such hostility. cant you get your point across without being so mean and resorting to name calling? Take a breath for a moment and chill.
You’re new here, aren’t you?
why is Ballmers microsoft using apple owned password protection, can he not get his people to develop the finger print technology?
this is a third party independant software vendor (ISV) that has developed a finger print solution that works with Windows. It has nothing to do with Balmer choosing an apple product. This product was also used by windows before Apple bought it.
The UPEK HW/SW was also offered for the Macintosh and was not tested and is not known to be affected.
I contacted @adamcaudill, one of the security researchers involved, via Twitter this morning and he did not test the Mac SW. Have not gotten a reply from @elcomsoft yet (it’s after hours in Russia).
As the Windows problem is related to the Windows Registry, it is likely that it is Windows only problem.
I’d still like to see the Mac implementation tested. If they managed to botch the Windows implementation, I expect they’re capable of having botched the Mac version as well.
Vulnerabilities in UPEK software have been known for some time and nobody cares.
Now that Apple bought the company that had bought UPEK, journalists just print “APPLE OWNED SOFTWARE EXPOSES PASSWORDS” and bingo! Instant scandal.
Ludicrous.
” “The UPEK software has long been marketed as a secure means for logging into Windows computers using an owner’s unique fingerprint…”
I found the problem–They mistakenly thought there was a secure way to log into Windows!
Yawn……….……
+1
“The weakness came to light no later than September, but Apple has yet to acknowledge it or warn end users how to work around it. No one has accused Apple of being responsible for the underlying design of fingerprint-reading software.”
So Goodin is intimating that this is Apple’s fault or problem?
well, if Apple owns the company, then yes, they have ultimate responsibility of what happens. and if there is a security flaw that can cause damages to the owner of the software, then this is serious and something should be done.
Just like if Microsoft buys a company and a security flaw shows itself. I am sure everyone would be all over them criticizing. And everyone would demand that Microsoft responds and acts. The same needs to be done by Apple.
But does Apple even actually own the company yet? They’ve indicated their desire to buy and it has been approved by the board. Was it ever approved by the shareholders after they freaked out about it months ago? And even if it has been, until the ink is dry, there is no purchase. We don’t know if Apple has any managerial control over the company at all at this moment.
Hey look, more click bait FUD. MDN is really going downhill.
Elcomsoft, a Russia-based developer of password-cracking software, warned that the software makes users less secure than they otherwise
Golly, and only last week I was chatting about what worthless crap fingerprint scanning tech is on a computer. And here we have a whole new way of FAIL. Astounding.
I suspect Apple are smart enough to close this ridiculous security hole. But I also suspect they are wondering why they bought this crap tech in the first place.
There is no substitute for a hardcore password. Fingerprint scanning and any other shiny-rainbows-unicorns-and-daisies add on security methods are only good as an ADDED authentication factors. They are ‘replacements’ for nothing.
Always read ‘requires physical access’ as ‘ if your computer is already compromised’. Seriously it’s sloppy programing but changing a windows password it’s trivial if you have access. Rule one don’t let bad guys use your computer. Rule two encrypt your data.