A few short items today.
First, Lastpass, one of the two password managers that I like (the other is Keepass) has been hit with three different security bugs in the last couple of weeks. This is due to the fact that Google Project Zero security researcher Tavis Ormandy has put Lastpass in his sights. The first two bugs were each patched within a day of Tavis’ disclosure to Lastpass, which compared to many other companies, is pretty amazing. The third one has not been fixed yet and Tavis says that is a fundamental architectural issue and cautioned Lastpass to take some time and fix it right. Lastpass automatically updates it’s software, so as soon as the patches are available, they will be installed across the entire user base.
These bugs highlight the conflict between security and convenience. All of the bugs are related to integrating Lastpass into the browser so that users can have it automatically push userids and passwords to a website’s login page. If you did not do the browser integration, then none of these compromises would work. Keepass does not have any browser integration so it is not susceptible to these types of attacks. The downside of not integrating it is that users have to look up and type or copy/paste the passwords manually, which, of course, is not so convenient.
I absolutely still recommend password managers and if you are on the overly paranoid side, disable Lastpass’s browser integration until these issues are resolved.
On the Microsoft front, they run a web site called Docs.com, which they bill as a way to showcase your documents. While no bugs were found, by default, documents uploaded to Docs.com, but not those created in Office 365, DEFAULTED to public viewing. With this setting search engines indexed the files and a number (like thousands) of very sensitive documents like passports, password lists, medical records and other documents were exposed.
After this was publicly revealed Microsoft made a change to the site. While uploaded documents are still public by default, you get a huge warning telling you that and it pushes you down on the page where you can easily change that setting – but only for that document.
This means that the user needs to pay attention and make sure that the permissions on documents are what they want them to be. Why the permissions on Office 365 documents are different than on uploaded documents is still a mystery to me. Seems like you should set it to default to private and make people intentionally share it if that is there intention, but that is not what Microsoft is doing right now.
This is a reminder to all users of cloud storage systems such as Box, Dropbox, Google Drive and others to make sure that the privacy settings on documents are what they expect. In many cases, if you send someone a link to a document, then anyone who has access to the link can open the document.
Finally, Apple just released IOS 10.3. To dispel the myth that Apple is a superhero, the list of bugs is pretty long. Apple, while very security conscious, still uses human beings to program their software (as far as I know) and humans make mistakes. If you have not installed the new version, you should as attackers use these announcements to exploit vulnerabilities in non-updated software. A partial list of the count of bugs fixed by category includes:
- Accounts -1
- Audio -1
- Carbon -1
- CoreGraphics – 2
- CoreText – 3
- Data Access -1
- Font Parser – 3
- HomeKit – 1
- Http Protocol -1
- ImageIO – 4
- iTunes Store – 1
- Kernel – 8
- Keyboards – 1
- Safari -4
- Safari Reader – 1
- Safari View Controller – 1
- Security – 4
- Webkit – 17 (this is the basis of Safari)
And a bunch of others.
As you can see, this fixes bugs all over the operating system, not just in one area.
This is not a dig at Apple , just a reminder that you really do need to make sure that your Apple (and other) devices stay updated.
Information for this post came from Steve Gibson at Gibson Research. If you are not familiar with Steve’s security podcast, I highly recommend it, but it is a bit geeky.