This is an I-screwed-up post. And it’s a clear-the-air post.
Earlier today, I posted about AuthenTec, a recent Apple acquisition that has had some security issues with software it produced for Windows PCs. One of the company’s products, a biometric security package called Protector Suite, stored passwords insecurely.
The issue was highlighted by security company Elcomsoft on August 28, and rose to prominence again in the past few days when an open-source project enabling easy exploitation of the security hole was posted to Github. I noticed it yesterday on Ars Technica, and today contacted Apple for comment, as well as phoning Authentec directly.
Apple didn’t return either of my two calls, and when the person I talked to at Authentec told me only that the software was discontinued (I also left a message for a product manager, who did not return my voicemail) I wrote a story based on the facts I knew.
But a reader checked Authentec’s support site, which I had not seen, and discovered that a new download is available for Protector Suite. In fact, according to the information on the support site, it’s been available since September 18. And in the release notes is a direct response to the security issue: “Changed passport encryption implementation.”
So the software does appear to be patched.
Now, I’d appreciate it if AuthenTec had made that known on its corporate website, not just the support site. And there seems to be no direct link from AuthenTec’s corporate website to its support site. In addition … it’d be nice if Apple had returned my calls, or if the person at AuthenTec knew that the software had already been patched.
All that aside, however, the fact remains: the software had been patched, and I wrote a story saying it was not. So … I was just plain wrong.
As soon as I saw the note from our reader — you rock, by the way — I updated my original story with a note.
But I felt that an additional story needed to be written, because as I check Google News for “AuthenTec” or look at MacSurfer’s list of Apple security stories, all of the posts still say that Apple’s subsidiary still has unpatched, vulnerable software. And that’s simply not the case today, as far as I can tell. No-one seems to have picked up on the fact that our reader found.
In fact, according to what the reader subsequently sent me, the patch has been delivered to all affected computer manufacturers. (AuthenTec, Apple, please feel free to add any missing details.)
So the recorded needed to be set straight. I trust that it now is.
VentureBeat’s goal is accurate, timely information. So is mine. It’s not always easy or straightforward, and sometimes I screw up. When that happens, we do our best to make it right.
That’s a personal commitment, and I think I dare speak for everyone else at VentureBeat on that point as well.