Based on a tip from a reader, it looks like Authentec actually has patched the security flaw without announcing that fact via its main website.
The company’s support website has the information, and a download available for a new version that was apparently released in September. The release note for that version includes this line: “Changed passport encryption implementation.”
Unfortunately, because the product was removed from the main website and the person I spoke to at Authentec simply told me that it was discontinued — not that it was patched — I proceeded with the story. My apologies.
Apple-owned security company Authentec has still not patched a massive vulnerability in its Windows software more than a month after it was first discovered by ElcomSoft. Now software that exploits the vulnerability has been released as an open-source project on Github.
In addition, VentureBeat has discovered, Authentec has discontinued both the original security software and its replacement … and deleted the evidence from its website (though not from Google’s cache).
Almost three months ago, Apple bought AuthenTec, a security company that builds sensors for PCs and phones to verify users and protect communications. One of the company’s products was Protector Suite, a secure way to log into Windows machines with your fingerprint.
The only problem? The software stores inadequately encrypted passwords in the Windows Registry. In fact, according to ElemSoft, the passwords were almost in plain text. To put it bluntly, this “security solution” actually made PCs more vulnerable.
Although the problem was discovered in August, Protector Suite has not been patched by Authentec or Apple. Now independent security researchers have crafted a tool, UPEK Protector Suite Password Decrypter, allowing hackers access to account passwords easily. From the release notes:
This is a little .NET 4.0 C# console application that demonstrates how to decrypt Windows logon credentials from registry keys created by UPEK (now AuthenTec)’s Protector Suite software.
Apple is not known for its quickness to patch vulnerable software quickly, whether on the Mac App Store or in software that ships with Mac OS X itself … even when the malware is affecting Macs, as Windows experts have noticed. This vulnerability, which affects PCs from Dell, Asus, Samsung, Sony, and Lenovo, was obviously not at the top of the priority list also.
I called Authentec and was told that the company no longer supported UPEK Protector Suite, and that the new software that replaced UPEK was called TrueSuite.
However, the web page for TrueSuite appears to have been deleted from Authentec’s site and now simply redirects to the company’s homepage. In addition, the company’s website says that its “smart sensor” products have been discontinued.
However, Google retains a cache of the TrueSuite page, which confirms that:
TrueSuite® is AuthenTec’s identity management software that is designed to make a fingerprint-enabled PC simpler and more secure, while increasing user convenience and personalization. TrueSuite software is tailored for consumers who demand simplicity, improved usability, and one-touch access to their digital ID and social networks.
So TrueSuite is the new UPEK Protector Suite … except that it is discontinued. And unsupported.
But the question remains: Will Apple live up to its subsidiary’s obligations and patch the holes in its now-legacy software so that users of UPEK Protector Suite can enjoy some level of security?
I’ve asked Apple PR for comment and will update this post when I hear back.