Posted on 12/18/2017 6:20:32 AM PST by dayglored
Google Project Zero's Tavis Ormandy has turned up a howling blunder in a password manager bundled with Windows 10.
On Friday, Ormandy dropped the bug, not in Windows but in the third-party Keeper password manager. He wrote: “I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (issue 917). I checked and, they're doing the same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.“
The detail of the bug's operation is in the older issue he linked. By injecting its trusted UI into untrusted processes, it allowed a malicious Web page to read the password the user was inserting from Keeper.
I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn't take long to find a critical vulnerability. https://t.co/dbkznucgLm — Tavis Ormandy (@taviso) December 15, 2017
Very little changed in the new version, Ormandy said, and that gave him the chance to post a demo that could steal a Twitter password.
Keeper Security has issued a patch for the bug.
Posting the patch, the company noted that a victim would have to be lured to an attacker's site, while logged into the browser extension. ®
https://insidewindows.net/2016/08/24/how-to-stop-windows-10-1607-from-installing-unwanted-apps/
The second article suggests setting the following registry value to 0:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SilentInstalledAppsEnabled
SilentInstalledAppsEnabled???
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SilentInstalledAppsEnabled> SilentInstalledAppsEnabled???
WTF?!?
I suppose we can credit them with being honest about how they named the d@mned thing...
Dang! I didn't know about that one.
Thanks!
If that setting does what I think it does, I'd rather give Microsoft something other than credit.
FWIW, today I checked two Win 10 Pro computers and one Win 10 Home computer. All had SilentInstalledAppsEnabled set to 1.
Definition of insanity? Reinstalling the same copy with the same software isn't going to fix the issue.
"...brand new laptop..."
False equivalency. Still using the same ISO known to have the Keeper install. The machine/hardware is immaterial.
MSDN and enterprise portals are virtually identical, but MSDN can be a bit fast and loose. You often find RCs in MSDN while the enterprise portal is not populated with "beta" software, at least none that I've ever seen.
These are two separate divisions within Microsoft proper. We've combed through our Win10 deployment repo and found no trace of this Keeper software in the 16XX, 1703, or 1709 distros. SCCM doesn't find it either. That only leaves MSDN as the distribution culprit, and that's not a surprise to any of us.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.