Today when we use our equipment, we use sensitive content, sometimes without realizing it. Our equipment, be it laptops, tablets, mobiles or even televisions, sound equipment. A good number of them contain email passwords, email accounts, Wi-Fi networks and their keys, personal access codes… We could continue and the list would be huge.
If we focus on laptops and mobile devices with their operating systems, we see how brands increasingly try to improve the management of such data. They seek on the one hand that we rely on our equipment to store all our digital life offering the right tools and at the same time guaranteeing that the management of them is safe, that our data will always be safe. A problem then arises when sometimes this is not the case and is what seems to happen with the Keeper, the key manager that is included in Windows 10.
Keeper is a third party software for the management of passwords , ( bloatware of all the life) which exculpates partly to those of Redmond of the controversy. A software like to put a single example to 1Password. And it is that entering matter, apparently Keeper has an important vulnerability, a flaw that has been discovered by Project Zero researcher (under the hand of Google), Tavis Ormandy , and that can make our login keys are completely unprotected. Think about the amount of information we can have in that section and the sensitivity of it.
I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn’t take long to find a critical vulnerability. https://t.co/dbkznucgLm
— Tavis Ormandy (@taviso) December 15, 2017
Google already warned at the time about the failure affecting Explorer and Edge and now puts the light on Microsoft, in this case in Keeper. For this Ormandy said that after installing a copy of Windows 10 without any modification, the password manager that comes pre-installed suffers from a security failure that can make any web page can access our login data of any service we have stored.
THE THREAT STILL EXISTS IN WINDOWS VERSIONS THAT CAN BE INSTALLED AND DO NOT HAVE THE SECURITY PATCH OR THE CORRECTED VERSION OF KEEPER
Once the critical flaw was discovered, it was communicated to Microsoft (and 90 days were given ) so that the Keeper developers could remedy with the release of an update released only 24 hours afterreceiving the communication. The patch also comes with an update , version 11.3, which is installed on computers that have Keeper automatically without the user having to intervene in the process.
The problem is that if you perform a clean installation of Windows 10, the bug is still present as long as you do not update the application , because the versions already released Windows 10 do not have the security patch included. In this sense, if you have just installed a copy of the Microsoft operating system, monitor the updates and update all the security patches you have pending as soon as possible.