Vulnerability disclosed as part of Project Zero

Dec 16, 2017 07:53 GMT  ·  By

Google security researcher Tavis Ormandy, who has previously discovered, reported, and disclosed several major bugs in Windows and its features, came across a new security vulnerability affecting Microsoft users.

This time, the flaw exists in the Keeper password manager that comes pre-installed in some Windows 10 versions, with Ormandy explaining that it’s similar to a vulnerability that he discovered in August 2016.

“I remember filing a bug a while ago about how they were injecting privileged UI into pages,” Ormandy explained on December 14. “I checked and, they're doing the same thing again with this version,” he continues.

While this isn’t a security flaw in Windows or another Microsoft product, it does expose the details of Windows users, as attackers could be able to steal their passwords should they rely on Keeper.

A working demo that steals Twitter passwords has also been published by Ormandy to demonstrate the vulnerability, explaining that “this is a complete compromise of keeper security, allowing any website to steal any password.”

Updating to version 11.4.4 fixes the flaw

Microsoft said it was aware of the issue shortly after Ormandy’s post, explaining that an update for the app was on its way. “We are aware of the report about this third-party app, and the developer is providing updates to protect customers,” a company spokesperson said.

The developing company of Keeper password manager has already acknowledged the flaw and released an update to version 11.4.4 to address it, explaining that it’s not aware of any attacks. The browser extension for Edge, Chrome, and Firefox is automatically updated.

Keeper Security says the flaw can only be exploited by directing users to specially crafted websites that take advantage of the flaw, so until patching the app, staying away from links that could pose a threat to your computer is an easy way to remain secure.

“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a ‘clickjacking’ technique to execute privileged code within the browser extension,” the company explained.

Even though the flaw does not exist in the Windows operating system itself, it once again raises questions regarding Microsoft’s strategy of pushing software onto users that could expose their data. It’s not yet known who gets Keeper pre-installed as part of the bundling deal, but on the good side, users can disable it should they not need it.