ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
Microsoft is quietly forcing some Windows 10 computers to install a password manager that contains a critical vulnerability almost identical to one disclosed 16 months ago that allows websites to steal passwords, a researcher said Friday.
Google Project Zero researcher Tavis Ormandy said in a blog post that the Keeper Password Manager came pre-installed on a newly built Windows 10 system derived directly from the Microsoft Developer Network. When he tested the unwanted app, he soon found it contained a bug that represents “a complete compromise of Keeper security, allowing any website to steal any password.” He said he uncovered a flaw in the non-bundled version of Keeper 16 months ago that posed the same threat.
With only basic changes to “selectors,” the old proof-of-concept exploit worked on the version installed without notice or permission on his Windows 10 system. Ormandy’s post linked to this publicly available proof-of-concept exploit, which steals an end user’s Twitter password if it’s stored in the Keeper app. After this post went live, a Keeper spokesman said the bug was different than the one Ormandy reported 16 months ago. He said it affected only version 11 of the app, which was released a few weeks ago. The developer has fixed the flaw in the just-released version 11.4 by removing the vulnerable “add to existing” functionality.
Fortunately, Windows 10 users aren’t vulnerable unless they open Keeper and begin trusting it with their passwords. Still, the incident raises questions about the security vetting Microsoft gives to apps it bundles with Windows. If an outsider can find a bug similar to the 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it long ago. Microsoft officials have yet to respond to questions about what testing it gives to third-party apps before they’re pre-installed, and by some accounts these apps are repeatedly reinstalled against users’ wishes on end users’ computers.
While Ormandy reported Keeper was installed on a virtual machine created from a version of Windows intended for developers, people participating in the Reddit discussion reported Keeper was also installed on laptops, in one case right after it was taken out of the box and in another after it had been wiped clean and had Windows reinstalled. A third person reported Keeper being installed on a virtual machine created with Windows 10 Pro.
It’s possible Microsoft has a process in place for ensuring the security of third-party apps that get installed on Windows 10 machines and that somehow the Keeper vulnerability slipped through anyway. It’s also possible third-party apps don’t come with the same security assurances of other Microsoft software. Microsoft should provide an explanation how this happened and explain the precise conditions under which Keeper and other apps do and don’t get installed.
This post was updated to add comment from Keeper and details about Windows 10 versions reported to receive automatic installs.
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.