Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Watch out for the Win10 apps: Ormandy finds a 16-month-old vulnerability in bundled Keeper

    Home Forums AskWoody blog Watch out for the Win10 apps: Ormandy finds a 16-month-old vulnerability in bundled Keeper

    Tagged: 

    This topic contains 22 replies, has 11 voices, and was last updated by  rc primak 1 week, 2 days ago.

    • Author
      Posts
    • #152305 Reply

      woody
      Da Boss

      Did you know that some Windows 10 installs inject Keeper, a password manager? I just checked my super-clean 1709 machine and didn’t see it. But appare
      [See the full post at: Watch out for the Win10 apps: Ormandy finds a 16-month-old vulnerability in bundled Keeper]

      1 user thanked author for this post.
    • #152333 Reply

      jescott418
      AskWoody Lounger

      Keeper one of the apps I uninstall first thing along with many of the other apps Microsoft seems intent on providing me no matter if I want them or not. Funny how Microsoft used to tell all users to keep stuff off your PC that you don’t use. Now they simply install this stuff without even offering a opt out. I think pretty much all users can figure out how to install any of these apps if they really want them.

      3 users thanked author for this post.
    • #152347 Reply

      zero2dash
      AskWoody Lounger

      I always run
      Get-AppxPackage | where-object {$_.publisher –notlike "*microsoft*"} | Remove-AppxPackage
      on any fresh Win10 install to get rid of anything not created by MS.

      3 users thanked author for this post.
      • #152424 Reply

        Cybertooth
        AskWoody Lounger

        When I first read that script, I thought it was to remove anything from Microsoft that I didn’t like (“notlike microsoft”, get it?).  <grin>

        Coulda had loads of fun applying such a script…

         

         

    • #152439 Reply

      anonymous

      I know that devs pay money to MS to promote their apps on W10 as ‘suggestions’ and that’s OK, but to install them without user permission is bad form. Unfortunately,  OEMs and at times MS, do not agree.  When this transaction takes place it may only apply to a specific build and not carry over with a refresh.  One user confirmed it was pre-installed on their W10 Signature edition – the so called no-bloat version!

      I have read several comments online regarding this ‘problem’ and it has been confirmed by users that Keeper is included in the latest W10 ISO they downloaded from the MS Site.  I guess it all depends on the tools you use to do a clean install whether it is there or not.

      1 user thanked author for this post.
    • #152509 Reply

      anonymous

      The few times I’ve found myself doing a clean install of windows 10 (rather than just removing it and installing any other OS) I’ve gotten a lot of pre-installed “down arrow tiles” that say some app is coming, but they never turned into anything (even after I eventually connect to the internet for the first time) and I eventually unpinned them, which left no trace.

      Is this normal and/or what everyone else is seeing?

      • #153503 Reply

        anonymous

        I too have seen this clutter, before reconfiguration of a Windows 10 Home OEM (1607) installation in a name brand new computer.

    • #153458 Reply

      Rock
      AskWoody Lounger

      …but isn’t suing the national sport of the U.S.A?

    • #153465 Reply

      anonymous

      The First Amendment protects citizens from punishment by the government for espousing views against the government, in speech, written, or published. There are other protections, but I think this is the relevant portion. It offers no protection from accusations of slander or libel by another citizen or private entity under US law. These charges must be adjudicated on their merit. It is generally held that a true statement cannot be a libelous statement, no matter how much harm results.

      A reverse condition arises if the initial charge is proven false, then the accused can file as plaintiff as a damaged party for having their reputation sullied.

      2 users thanked author for this post.
    • #153477 Reply

      Cybertooth
      AskWoody Lounger

      As I read Woody’s post, I was wondering if Tavis Ormandy could be related to Eugene Ormandy, the longtime conductor of the Philadelphia Orchestra.

      And then when I navigated to this thread, Amazon’s “Shop Related Products” ad to the right is offering me four collections of music performed by… Eugene Ormandy and the Philadelphia Orchestra. <grin>

      Ormandy

      Attachments:
      You must be logged in to view attached files.
    • #153482 Reply

      WildBill
      AskWoody Lounger

      It offers no protection from accusations of slander or libel by another citizen or private entity under US law. These charges must be adjudicated on their merit. It is generally held that a true statement cannot be a libelous statement, no matter how much harm results. A reverse condition arises if the initial charge is proven false, then the accused can file as plaintiff as a damaged party for having their reputation sullied.

      Notice that Keeper is not suing Ormandy; they’re suing Ars Technica, Conde Nast & Godkin. Assuming they have deeper pockets than Ormandy in case of a win… However, if Ormandy can prove his assertion that the bug has been there for 16 months, he should join the others as defendants if possible.

      Wild Bill Rides Again...

      1 user thanked author for this post.
      • #153491 Reply

        Ascaris
        AskWoody Lounger

        The burden of proof is on the plaintiff in a civil case.  It’s up to Keeper to prove that the defendants published wrongful and damaging statements, not for Ormandy or anyone else to prove that the statements they made are right.

        It’s interesting that Keeper has not named Google in the suit.   Ormandy was acting on behalf of Google’s Project Zero when he wrote the blog post in question, and if you want some deep pockets, Google’s got them.

        Instead, Keeper is going after Ars for reporting what Ormandy wrote.  They’re trying to kill the messenger rather than the author of the message the messenger carried.

        Something is fishy about this.

        This is a big warning flag to stay well clear of anything Keeper is involved in.  Any company that tosses around the sue-hammer that easily is not someone I want to have anything to do with.  When I read about this issue initially, I interpreted it as Microsoft screwing up by pushing an older version of the program with a discovered vulnerability from over a year ago, but now I’m thinking that “[Keeper] dost protest too much.”

        Interesting bedfellow you got there, Microsoft… you teamed up with a real winner.  Birds of a feather, I suppose.

        Not a lawyer, IMHO, etc., where applicable.

        3 users thanked author for this post.
        • #153581 Reply

          MrJimPhelps
          AskWoody MVP

          My guess as to why they are suing ARS and no one else: Because ARS is the least capable of defending themselves. As you say, Google has deep pockets. They probably have an entire legal dept. with the very best lawyers. Ditto Microsoft. But ARS is just an online publication, likely without the money for a full-time legal staff.

          • #153592 Reply

            WildBill
            AskWoody Lounger

            As Woody said in the update to the original blog post, Keeper is suing Dan Goodin (Not Godkin, as I said in another reply; my bad), Ars Technica, & Conde Nast. Conde Nast is a major publisher with magazines & websites, including ARS, Bon Appetit, BRIDES, Glamour, Golf Digest, GQ, The New Yorker, Vanity Fair, Vogue, Wired & others. There are the deep pockets…

            Wild Bill Rides Again...

            1 user thanked author for this post.
    • #153577 Reply

      MrJimPhelps
      AskWoody MVP

      On December 15, 2017, the ARS Technica website made false and misleading statements about the Keeper software application suggesting that it had a 16-month old bug that allowed sites to steal user passwords. The article contained numerous false and misleading statements. Ars Technica has revised the article twice, but to date has failed to remove the false statements.

      Keeper now asserts claims for defamation, violation of the Illinois Uniform Deceptive Trade Practices Act, 815 ILCS 510/2, and commercial disparagement under Illinois law.

      I hope ARS has kept good notes as they’ve discovered (and reported) these things.

      2 users thanked author for this post.
    • #153605 Reply

      rc primak
      AskWoody Lounger

      Suing Ars Technica or any of its staff over their reporting is the very definition of a frivolous lawsuit. Every other tech outlet which has repeated Ormandy’s claim would be open to the same suit, including this site.

      In many US States, there is a definition of SLAPP, which is a frivolous lawsuit filed to silence public criticism. This lawsuit may fit the criteria, and opens Keeper to countersuits. In any event, the lack of a retraction from Ars Technica supports the idea that Keeper will not prevail, and Conde Nast has no fear of this suit. But Windows users should have great fear of installing any potentially buggy app when the vendor is so lawsuit-happy.

      Meanwhile, I have found some nicely priced Intel based Chromebooks which should handle a Linux install with Crouton very nicely. Goodbye, Microsoft.

      -- rc primak

      • This reply was modified 4 weeks, 1 day ago by  rc primak.
      • This reply was modified 4 weeks, 1 day ago by  rc primak.
      6 users thanked author for this post.
      • #153618 Reply

        anonymous
        • #154315 Reply

          rc primak
          AskWoody Lounger

          Nice try, but the linked discussion thread explicitly states that on ARM Ubuntu 16.04 does not work.

          Mine is not such a situation. It’s a very simple option in Intel based (not ARM) Chromebooks to get Ubuntu or any other Linux distro within reason, installed alongside ChromeOS on Intel architecture and never revert into Emergency Mode.

          You have to boot the modified Chromebook with a special keyboard combination, but that’s no worse than the multiple screens I have to go through in my Intel NUC desktop PC before actually getting Windows 10 or Ubuntu 16.04 to boot. And so far, no reports of hardware drivers not behaving properly in Chromebooks when the OS switch takes place. I’ll have to see if any hardware features become unavailable when switching into Linux. That depends on the exact model and production run of the Chromebook I may choose.

          I already had the second article bookmarked. A Chromebook recovery USB drive is essential if making any system-level mods to a Chromebook. I would not proceed without that guide.

          -- rc primak

          • This reply was modified 3 weeks, 5 days ago by  rc primak.
    • #153671 Reply

      Paul
      AskWoody Lounger

      On defamation, disparagement, deceptive business practices, and frivolous lawsuits, it may be interesting to note these will be discussed in terms of Illinois law as it reads in Chicago. Not New York. Historical views of Chicago’s approach to reading law may be interesting. Keeper is playing home court [sic] advantage here.

      • This reply was modified 4 weeks, 1 day ago by  Paul. Reason: added frivolous lawsuits
      1 user thanked author for this post.
    • #153805 Reply

      anonymous

      I read this article and enjoyed it. If the Keeper program like Candy Crush is one of several SuggestedApps listed under the following current user registry key then Microsoft is lying when claiming no knowledge of how it gets installed on a computer. Some Microsoft employee had to perform an action to put that in the build.

      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps

      I deleted all of the values listed when setting up a system and that quelled any further attempted nearly silent installations. Don’t set up an internet connection until you have set new connections as metered connections and have taken a peek at that registry key for every user account!

      1 user thanked author for this post.
    • #154317 Reply

      rc primak
      AskWoody Lounger

      The Keeper App being out of date and insecure reminds me of the versions of Firefox, Flash Player Plugin and just about everything else which Ubuntu installs from their own Repositories. Maybe the change in Ubuntu 18.04 to a new repository will get these apps more up to date, but the mere fact that an app is an old version can happen in anyone’s app store. Users who can install apps from outside official Stores and Repositories have long been encouraged to do so, where possible from the original vendors’ web pages. This advice applies to all OSes which have Walled Gardens of their own versions of apps.

      -- rc primak

      1 user thanked author for this post.
      • #154402 Reply

        Paul
        AskWoody Lounger

        I agree with the advice, and have great respect for a vendor that maintains their own download services. I still have misgivings on being sent to SourceForge or other third party clearinghouses to retrieve software. I am also more comfortable with recognized institutions like universities hosting mirrors.

        But a small nagging voice wonders if I am being misled by illusion or poor critical thinking on this. I am curious where your comfort level is.

        • #158122 Reply

          rc primak
          AskWoody Lounger

          I have little fear of installing something bad from Sourceforge, as I look over several tech reviews before trying any new software in Linux. If multiple authors think the Sourceforge version is safe, I give it a go. Otherwise, yes I am skeptical. I always keep a system and data backup on multiple external drives just in case I trust too much. This has happened a few times — more than I care to admit. But rolling back a week has few unwanted consequences, so I feel comfortable with the occasional crash risk or Beta bug.

          I would not have up to date Ubuntu software without taking some risks.  I feel the same way about Windows software. Just have recent system and data backups, and retain configuration file exports, and trying newer versions may become less scary.

          -- rc primak

          1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Watch out for the Win10 apps: Ormandy finds a 16-month-old vulnerability in bundled Keeper

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.