Windows 10 News and info | Forum

Windows 10 & 8 Modifying => Patch Tuesday| Updates | Security | Anti-virus => Topic started by: javajolt on December 17, 2017, 04:37:10 AM



Title: Google finds a vulnerability in Windows 10’s Password Manager
Post by: javajolt on December 17, 2017, 04:37:10 AM
(http://s2.postimg.org/f0tvvv3ih/windows-10-spying.jpg)
Google’s Security Researcher Tavis Ormandy has discovered a bug in Windows 10’s Password Manager which allows attackers to steal passwords. The flaw is with third-party Keeper password manager app which comes installed Windows 10 devices. Tavis says that the flaw is similar to the one he discovered back in 2016.

Quote
I remember filing a bug a while ago about how they were injecting privileged UI into pages. “I checked and, they’re doing the same thing again with this version.

– Tavis Ormandy

Tavis demonstrated the attack and shared the details as a part of Project Zero. The bug is subjected to a 90-day disclosure deadline which means that once 90 days are up, Tavis is free to share the details about the bug and how to exploit it publically.

(http://s2.postimg.org/wcu8h6ue1/Captu45re.jpg) (http://bugs.chromium.org/p/project-zero/issues/detail?id=1481&desc=3)

This might sound scary but Keeper has already flagged the issue and as of yesterday, a new update has been pushed to fix the issue. The company addressed it in a blog post:

Quote
All customers running Keeper’s browser extension on Edge, Chrome and Firefox have already received Version 11.4.4 through their respective web browser extension update process. Customers using the Safari extension can manually update to version 11.4.4 by visiting Keeper’s download page ([url]http://keepersecurity.com/download.html[/url]). No reports of any customers affected by this bug have been reported to Keeper. Mobile Apps and Desktop Apps were not affected and do not require updates.


Let's hope the new update fixes the issue and as an advisory, we recommend you have all the apps up-to-date to prevent any attacks. You can download the extension for Edge from the Microsoft Store (http://www.microsoft.com/en-us/store/p/keeper-password-manager-secure-file-storage/9wzdncrdmpt6?tduid=(9bd4c7cfb9cf8d3c1ba3efa0e57972f7)(263915)(2775081)()()&rtc=1).

source (http://mspoweruser.com/google-finds-vulnerability-windows-10s-password-manager/)