A browser with an aggressive promotion policy suddenly became the main information security hero for everyone.
Yubico, the developer of popular YubiKey authentication devices, has warned Windows users about a serious vulnerability in its software. According to the company's official announcement, the vulnerability can lead to increased privileges on the user's computer.
The detected problem concerns the YubiKey Manager program and is tracked under the identifier CVE-2024-31498. The CVSS score is 7.7 points, which indicates a fairly high level of risk.
The vulnerability occurs when a user runs the YubiKey Manager GUI with administrator rights. In this case, the browser windows opened by this program also inherit these privileges, which can be used by an attacker to perform actions on behalf of the administrator and significantly increase the potential for an attack.
The issue only affects Windows users who do not use the default Microsoft Edge browser. As Yubico points out, the vulnerability is related to the Windows OS requirements for administrator rights to interact with FIDO authenticators, which include YubiKey.
To check the version of YubiKey Manager, users can open the "About" menu in the app itself. Anyone using versions prior to 1.2.6 should update the software immediately. The latest version with the implemented fix is available on the Yubico website and on GitHub.
In addition to updating the program, Yubico recommends that users do not run YubiKey Manager as administrator unless they need to use FIDO features. This will avoid unnecessary risk of privilege escalation when using the program.
An alternative temporary solution to the problem is to install Microsoft Edge as the primary browser, which can help prevent inheritance of administrative privileges, as is the case with third-party browsers. However, the company emphasizes that the best solution is still to upgrade the software to a secure version.
This security incident is the second for Yubico in the last three years. Detecting and responding to such vulnerabilities in a timely manner helps protect users personal data from possible attacks.
Yubico, the developer of popular YubiKey authentication devices, has warned Windows users about a serious vulnerability in its software. According to the company's official announcement, the vulnerability can lead to increased privileges on the user's computer.
The detected problem concerns the YubiKey Manager program and is tracked under the identifier CVE-2024-31498. The CVSS score is 7.7 points, which indicates a fairly high level of risk.
The vulnerability occurs when a user runs the YubiKey Manager GUI with administrator rights. In this case, the browser windows opened by this program also inherit these privileges, which can be used by an attacker to perform actions on behalf of the administrator and significantly increase the potential for an attack.
The issue only affects Windows users who do not use the default Microsoft Edge browser. As Yubico points out, the vulnerability is related to the Windows OS requirements for administrator rights to interact with FIDO authenticators, which include YubiKey.
To check the version of YubiKey Manager, users can open the "About" menu in the app itself. Anyone using versions prior to 1.2.6 should update the software immediately. The latest version with the implemented fix is available on the Yubico website and on GitHub.
In addition to updating the program, Yubico recommends that users do not run YubiKey Manager as administrator unless they need to use FIDO features. This will avoid unnecessary risk of privilege escalation when using the program.
An alternative temporary solution to the problem is to install Microsoft Edge as the primary browser, which can help prevent inheritance of administrative privileges, as is the case with third-party browsers. However, the company emphasizes that the best solution is still to upgrade the software to a secure version.
This security incident is the second for Yubico in the last three years. Detecting and responding to such vulnerabilities in a timely manner helps protect users personal data from possible attacks.
