Windows 10 bundles a briefly vulnerable password manager (Passwords stolen by websites)

The Register ^ | Dec 18, 2017 | Richard Chirgwin

[dayglored]

Google Project Zero's Tavis Ormandy has turned up a howling blunder in a password manager bundled with Windows 10.

On Friday, Ormandy dropped the bug, not in Windows but in the third-party Keeper password manager. He wrote: “I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (issue 917). I checked and, they're doing the same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.“

The detail of the bug's operation is in the older issue he linked. By injecting its trusted UI into untrusted processes, it allowed a malicious Web page to read the password the user was inserting from Keeper.

I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn't take long to find a critical vulnerability. https://t.co/dbkznucgLm — Tavis Ormandy (@taviso) December 15, 2017

Very little changed in the new version, Ormandy said, and that gave him the chance to post a demo that could steal a Twitter password.

Keeper Security has issued a patch for the bug.

Posting the patch, the company noted that a victim would have to be lured to an attacker's site, while logged into the browser extension. ®

[dayglored]

Oops.

[dayglored]

Windows 10 third-party bundled password manager vulnerability ... PING!

You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".

[smokingfrog]

All your p-words belong to us.

[MV=PY]

Who’s bundling it with W10?

It’s not on my machines.

[Gasshog]

Gates set us up the Bomb.

[Red Badger]

It’s not a ‘bug’.

It’s a FEATURE!.................

[smokingfrog]

I think it’s a browser extension for Edge?
I rarely use any browser extensions myself.

[Pride in the USA]

ping for a later read

[dennisw]

I avoid google as much as possible but I let Chrome store any passwords I want stored. I consider it the most secure browser. I mostly use Firefox.

[Pollard]

[jerod]

Windows 10 is evil incarnate.

[DariusBane]

Ha. Nice Dilbert reference.

[minnesota_bound]

#10 That looks like the alien penguin in “The Last Jedi”

[dayglored]

Really? A glass CRT screen? How very retro... Then again, it -is- the Vista background... so I suppose it's contemporary.

But still... time for the Penguin to get a proper LCD!

[Pollard]

Might be a reference to “broken Windows”.

[nicollo]

BS clickbait headline. It’s a third-party app that has the vulnerability not Win 10.

[dayglored]

> BS clickbait headline. It’s a third-party app that has the vulnerability not Win 10.

Strictly speaking, yeah it was third-party, but let's not quibble -- it's accurate enough (for one that's not, see further down).

The "Keeper" password manager was bundled with Windows 10. It happens to be third-party but that makes no difference to a user who see it as part of the Windows system they purchased. Engadget's article says:

There's a good reason why security analysts get nervous about bundled third-party software: it can introduce vulnerabilities that the companies can't control. And Microsoft, unfortunately, has learned that the hard way. Google researcher Tavis Ormandy discovered that a Windows 10 image came bundled with a third-party password manager, Keeper, which came with a glaring browser plugin flaw -- a malicious website could steal passwords. Ormandy's copy was an MSDN image meant for developers, but Reddit users noted that they received the vulnerable copy of Keeper after clean reinstalls of regular copies and even a brand new laptop.

Any reasonable person would view that as "part of the operating system" even though you and I know enough to split hairs and differentiate between the kernel, the utilities, the apps, etc.

OTOH, I'd say that THIS headline on the same topic -IS- BS clickbait, because the headline doesn't mention the "third-party" or "bundle" aspect at all:

Huge security flaw in Windows 10 that could have allowed hackers to STEAL the passwords of thousands of users is found by a Google analyst

Here's the important aspect: In the final analysis, it was Microsoft's poor judgement, and/or poor vetting, that allowed the flawed app into the Win10 bundle. Ultimately, it's MS's responsibility for what goes into a "Windows" package.

That said, the third-party vendor ought to get ridden out of town on a rail and never be permitted to place another app in a Windows bundle, just on general principles.

[rarestia]

It’s not on my machines.

Same. Can confirm that in neither Enterprise nor Professional versions of Win10 under 1703 and 1709 is this Keeper software found.

This is FUD. The title is misleading. Microsoft isn't distributing this. It's built into an MSDN-distributed version, which is miles apart from retail- or EA-distributed Windows.

[nicollo]

Thanks for excellent analysis.

[dayglored]

> This is FUD. The title is misleading. Microsoft isn't distributing this. It's built into an MSDN-distributed version, which is miles apart from retail- or EA-distributed Windows.

Could you please comment on Engadget's article quoted above:

"...users noted that they received the vulnerable copy of Keeper after clean reinstalls of regular copies and even a brand new laptop..."

And then a separate question. As an MSDN subscriber, I consider that the software I download from Microsoft's MSDN site is distributed by Microsoft. And most of the OS .ISO images are essentially identical to the retail releases, but with an MSDN key. Microsoft supplies them -- they certainly aren't coming from Apple or Canonical. So what does: "Microsoft isn't distributing this. It's built into an MSDN-distributed version" possibly mean?