- Jul 22, 2014
- 2,525
The Savitech USB audio driver installation package will install a root CA certificate into the Windows trusted root certificate store, in an incident that's reminiscent of the Superfish and eDellRoot episodes from 2015 and 2016, respectively.
Users usually install these drivers as separate packages, but they're also bundled inside setup software for all sorts of products.
Savitech, as a company, creates audio and video drivers for a wide range of devices. According to RSA security researcher Kent Backman — the one who spotted the Savitech root certificate installation process — only the company's USB audio driver installation package will install the root certificate.
This driver is provided to hardware vendors to support audio-capable devices that run via USB ports. Various vendors like AsusTek, EMC, Intos, Creek Audio, and others deploy Savitech's USB audio driver with their products.
Users need to manually remove root certs
Savitech admitted its mistake. A company spokesperson said they added the root certificate to support driver signing on Windows XP machines.
The driver was not needed for latter versions of Windows, and the company decided to drop XP support from its products for the sake of user security.
"We have removed the code of installing SAVITECH’s certificate from software package after standard software package v2.8.0.3 published on March 31, 2017," a Savitech spokesperson said.
While Savitech's USB audio driver packages 2.8.0.3 and later do not install the root certificate anymore, they do not remove it either. Users have to remove the root certificate from the Windows trusted root store themselves.
Users are advised to search and remove the following two Savitech root certificates. Instructions are available here.
...
Users usually install these drivers as separate packages, but they're also bundled inside setup software for all sorts of products.
Savitech, as a company, creates audio and video drivers for a wide range of devices. According to RSA security researcher Kent Backman — the one who spotted the Savitech root certificate installation process — only the company's USB audio driver installation package will install the root certificate.
This driver is provided to hardware vendors to support audio-capable devices that run via USB ports. Various vendors like AsusTek, EMC, Intos, Creek Audio, and others deploy Savitech's USB audio driver with their products.
Users need to manually remove root certs
Savitech admitted its mistake. A company spokesperson said they added the root certificate to support driver signing on Windows XP machines.
The driver was not needed for latter versions of Windows, and the company decided to drop XP support from its products for the sake of user security.
"We have removed the code of installing SAVITECH’s certificate from software package after standard software package v2.8.0.3 published on March 31, 2017," a Savitech spokesperson said.
While Savitech's USB audio driver packages 2.8.0.3 and later do not install the root certificate anymore, they do not remove it either. Users have to remove the root certificate from the Windows trusted root store themselves.
Users are advised to search and remove the following two Savitech root certificates. Instructions are available here.
...
