• Watch out for the Win10 apps: Ormandy finds a 16-month-old vulnerability in bundled Keeper

    Posted on December 20, 2017 at 14:20 CST by Comment in the Forums

    Did you know that some Windows 10 installs inject Keeper, a password manager? I just checked my super-clean 1709 machine and didn’t see it. But apparently if you install Win10 directly from the Microsoft Developer Network image, you get Keeper along with Candy Crush and all those other vital Windows programs.

    Tavis Ormandy, whom you may recognize as a long-time Windows bug hunter and esteemed Google Project Zero ace, published a blog yesterday that not only claimed Keeper came along for the ride in a fresh Win10 install — it’s also a version of Keeper that has a big security hole. Ormandy says he reported the bug to Keeper long ago:

    Nevertheless, this is (again) a complete compromise of Keeper security, allowing any website to steal any password. Here is a working demo that steals your twitter password:

    https://lock.cmpxchg8b.com/keepertest.html

    According to Ormandy, Keeper has fixed the bug.

    Dan Goodin at Ars Technica adds:

    If an outsider can find a 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it long ago. Microsoft officials have yet to respond to questions about what testing it gives to third-party apps before they’re pre-installed, and by some accounts these apps are repeatedly reinstalled against users’ wishes on end users’ computers.

    Ah, those free Windows 10 apps.

    UPDATE: If that don’t beat all…. Keeper Security, the makers of Keeper, has filed a lawsuit against Dan Goodin, Ars Technica, and Conde Nast.

    On December 15, 2017, the ARS Technica website made false and misleading statements about the Keeper software application suggesting that it had a 16-month old bug that allowed sites to steal user passwords. The article contained numerous false and misleading statements. Ars Technica has revised the article twice, but to date has failed to remove the false statements.

    Keeper now asserts claims for defamation, violation of the Illinois Uniform Deceptive Trade Practices Act, 815 ILCS 510/2, and commercial disparagement under Illinois
    law.

    Sooooo… somebody explain to me this thing called the First Amendment….

    Windows Patches/Security
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    March 2025
    S M T W T F S
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.