Posted on 12/18/2017 6:20:32 AM PST by dayglored
Google Project Zero's Tavis Ormandy has turned up a howling blunder in a password manager bundled with Windows 10.
On Friday, Ormandy dropped the bug, not in Windows but in the third-party Keeper password manager. He wrote: I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (issue 917). I checked and, they're doing the same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.
The detail of the bug's operation is in the older issue he linked. By injecting its trusted UI into untrusted processes, it allowed a malicious Web page to read the password the user was inserting from Keeper.
I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn't take long to find a critical vulnerability. https://t.co/dbkznucgLm Tavis Ormandy (@taviso) December 15, 2017
Very little changed in the new version, Ormandy said, and that gave him the chance to post a demo that could steal a Twitter password.
Keeper Security has issued a patch for the bug.
Posting the patch, the company noted that a victim would have to be lured to an attacker's site, while logged into the browser extension. ®
All your p-words belong to us.
Who’s bundling it with W10?
It’s not on my machines.
Gates set us up the Bomb.
It’s not a ‘bug’.
It’s a FEATURE!.................
I think it’s a browser extension for Edge?
I rarely use any browser extensions myself.
ping for a later read
I avoid google as much as possible but I let Chrome store any passwords I want stored. I consider it the most secure browser. I mostly use Firefox.
Windows 10 is evil incarnate.
Ha. Nice Dilbert reference.
#10 That looks like the alien penguin in “The Last Jedi”
But still... time for the Penguin to get a proper LCD!
Might be a reference to “broken Windows”.
BS clickbait headline. It’s a third-party app that has the vulnerability not Win 10.
Strictly speaking, yeah it was third-party, but let's not quibble -- it's accurate enough (for one that's not, see further down).
The "Keeper" password manager was bundled with Windows 10. It happens to be third-party but that makes no difference to a user who see it as part of the Windows system they purchased. Engadget's article says:
There's a good reason why security analysts get nervous about bundled third-party software: it can introduce vulnerabilities that the companies can't control. And Microsoft, unfortunately, has learned that the hard way. Google researcher Tavis Ormandy discovered that a Windows 10 image came bundled with a third-party password manager, Keeper, which came with a glaring browser plugin flaw -- a malicious website could steal passwords. Ormandy's copy was an MSDN image meant for developers, but Reddit users noted that they received the vulnerable copy of Keeper after clean reinstalls of regular copies and even a brand new laptop.Any reasonable person would view that as "part of the operating system" even though you and I know enough to split hairs and differentiate between the kernel, the utilities, the apps, etc.
OTOH, I'd say that THIS headline on the same topic -IS- BS clickbait, because the headline doesn't mention the "third-party" or "bundle" aspect at all:
Huge security flaw in Windows 10 that could have allowed hackers to STEAL the passwords of thousands of users is found by a Google analystHere's the important aspect: In the final analysis, it was Microsoft's poor judgement, and/or poor vetting, that allowed the flawed app into the Win10 bundle. Ultimately, it's MS's responsibility for what goes into a "Windows" package.
That said, the third-party vendor ought to get ridden out of town on a rail and never be permitted to place another app in a Windows bundle, just on general principles.
Same. Can confirm that in neither Enterprise nor Professional versions of Win10 under 1703 and 1709 is this Keeper software found.
This is FUD. The title is misleading. Microsoft isn't distributing this. It's built into an MSDN-distributed version, which is miles apart from retail- or EA-distributed Windows.
Thanks for excellent analysis.
Could you please comment on Engadget's article quoted above:
"...users noted that they received the vulnerable copy of Keeper after clean reinstalls of regular copies and even a brand new laptop..."And then a separate question. As an MSDN subscriber, I consider that the software I download from Microsoft's MSDN site is distributed by Microsoft. And most of the OS .ISO images are essentially identical to the retail releases, but with an MSDN key. Microsoft supplies them -- they certainly aren't coming from Apple or Canonical. So what does: "Microsoft isn't distributing this. It's built into an MSDN-distributed version" possibly mean?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.