Microsoft Pre-Installs Password Manager That Can Compromise Your Passwords

UPDATE:  What do you do if you are a company who’s software is buggy and who is outed by a well respected journalist – Ars Technica’s Dan Goodin.

One approach would be to apologize.

Keeper Software’s idea is to sue the journalist for false and misleading statements.

The alternative would be to sue the researcher, Tavis Ormandy, who found the bug.  Unfortunately for Keeper, Tavis works for Google and if they tried suing Google, it likely would not turn out well, so they sued a much smaller web site, Ars Technica.

Keeper says that the defamation came from Dan’s comment that the bug was 16 months old.

Hopefully Keeper’s suit gets thrown out of court very quickly, but even if it does, it will still cost Ars a bunch to defend themselves.

Whether this is a bit of PR genius or PR disaster still remains to be seen.  (see article here).

Security is a never ending task.

For some reason, Microsoft decided to pre-install a third party password manager on the Win 10 Anniversary Update (version 1607).

Unfortunately, the version of Keeper that Microsoft is distributing has a slight problem.  The problem is that this version of Keeper has a critical flaw that allows for a complete compromise of the passwords that you have entrusted to this software.

On top of it, Microsoft doesn’t ask users if they want to install the Keeper software- it just installs it.  I assume that Keeper is paying Microsoft to install it.

The critical flaw in Keeper is one that Tavis Ormandy of Google’s Project Zero already found in Keeper over a year ago.

How Microsoft managed to distribute a version of the software that still had this bug is unknown, but points to a bit of a supply chain problem.  Microsoft should have known that Keeper had a critical flaw a year ago and checked to make sure that this version was fixed.  New bugs are expected, but bugs that were fixed a year ago should not be still be distributed.

The good news is that Keeper has created a patch for this version of the software and it is being distributed.

If you never opened the software or never saved any passwords in it, you would be safe, even with this bug, if that is any consolation.

Bottom like, USERS need to be responsible for the software that they use.  The challenge with that is that many users probably figured this was an app that Microsoft developed.  After all, they didn’t ask for it;  they didn’t download it; Microsoft never told them it was a third party app that was being silently installed.  It just appeared.

Thank you Google Project Zero!

Information for this post came from Hacker News.

Leave a Reply

Your email address will not be published.