Brash Yubikey Manager, Microsoft Edge Save Users from Hacking

Yubico, the developer of the popular devices Yubikey, has issued a warning to Windows users regarding a serious vulnerability in their software. The company’s official message states that the vulnerability could potentially lead to an escalation of privileges on the user’s computer.

The identified issue specifically pertains to the Yubikey Manager program and is associated with the identifier cve-2024-31498. Its CVSS score of 7.7 indicates a significant level of risk.

The vulnerability becomes evident when a user launches the Yubikey Manager graphical interface with administrator rights. Subsequently, any browser windows opened by the program also inherit these elevated privileges, presenting an opportunity for an attacker to exploit them to carry out actions on behalf of the administrator.

This issue affects only Windows users who do not utilize the Microsoft Edge browser as the default option. Yubico has stated that the vulnerability stems from the Windows OS’s requirement for administrator rights when interacting with FIDO authenticators like the Yubikey.

Users can verify their Yubikey Manager version by accessing the “About Program” menu within the application. Those using versions up to 1.2.6 are advised to promptly update the software. The latest corrected version is accessible on the Yubico website as well as on Github.

Yubico recommends that users refrain from running the Yubikey Manager with administrator privileges unless necessary for FIDO functions to minimize the risk of privilege escalation. An interim solution could involve switching to Microsoft Edge as the primary browser to prevent the inheritance of administrative privileges associated with third-party browsers, though updating the software remains the most effective resolution.

This security incident marks the second vulnerability for Yubico in the past three years. Detecting and responding promptly to such vulnerabilities is crucial in safeguarding users’ personal data against potential attacks.

/Reports, release notes, official announcements.