News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Watch out for the Win10 apps: Ormandy finds a 16-month-old vulnerability in bundled Keeper

    Posted on December 20th, 2017 at 14:20 woody Comment on the AskWoody Lounge

    Did you know that some Windows 10 installs inject Keeper, a password manager? I just checked my super-clean 1709 machine and didn’t see it. But apparently if you install Win10 directly from the Microsoft Developer Network image, you get Keeper along with Candy Crush and all those other vital Windows programs.

    Tavis Ormandy, whom you may recognize as a long-time Windows bug hunter and esteemed Google Project Zero ace, published a blog yesterday that not only claimed Keeper came along for the ride in a fresh Win10 install — it’s also a version of Keeper that has a big security hole. Ormandy says he reported the bug to Keeper long ago:

    Nevertheless, this is (again) a complete compromise of Keeper security, allowing any website to steal any password. Here is a working demo that steals your twitter password:

    https://lock.cmpxchg8b.com/keepertest.html

    According to Ormandy, Keeper has fixed the bug.

    Dan Goodin at Ars Technica adds:

    If an outsider can find a 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it long ago. Microsoft officials have yet to respond to questions about what testing it gives to third-party apps before they’re pre-installed, and by some accounts these apps are repeatedly reinstalled against users’ wishes on end users’ computers.

    Ah, those free Windows 10 apps.

    UPDATE: If that don’t beat all…. Keeper Security, the makers of Keeper, has filed a lawsuit against Dan Goodin, Ars Technica, and Conde Nast.

    On December 15, 2017, the ARS Technica website made false and misleading statements about the Keeper software application suggesting that it had a 16-month old bug that allowed sites to steal user passwords. The article contained numerous false and misleading statements. Ars Technica has revised the article twice, but to date has failed to remove the false statements.

    Keeper now asserts claims for defamation, violation of the Illinois Uniform Deceptive Trade Practices Act, 815 ILCS 510/2, and commercial disparagement under Illinois
    law.

    Sooooo… somebody explain to me this thing called the First Amendment….

    If that helped, take a second to support AskWoody on Patreon