S-1-1-0 – Update

According to the company, this is not a security issue. I reserve – and exercise – my right to disagree, but I’m not a security researcher.

They say that:

1. The global write permissions on the firmware files (they are firmware files) is

   • necessary to enable successful updates, and
   • not a problem because the PC software does not interpret them when feeding them to the reader, and the reader will reject manipulated files due to invalid signatures.

2. The registry permissions are necessary for interoperability between components on the same system.

Finally, they say their software and devices are getting tested not only by them, but also by the IT security people of the companies using the things, and if no one complains, everything must be fine.

Very well then; if they won’t fix their bugs, I can only do work around them in my own environment.