fbpx

Windows 10 included a password manager complete with massive password-stealing potential

 

Stealing password from codeMicrosoft has been bundling a password manager that features a dangerous flaw with some versions of Windows 10, a Google security researcher has revealed. Tavis Ormandy noticed that his copy of Windows 10 included Keeper, which he had previously found to be injecting privileged UI into pages.The version that Microsoft was including with Windows 10 featured the same bug. What does this mean? In short, it allows any website to steal passwords from you.

Keeper was included in some Windows 10 installations as a browser plugin, and it included the very same vulnerability that Ormandy had reported nearly a year and half earlier. With little more than a couple of very easily implemented tweaks, he found that it was possible to steal passwords that are stored within Keeper.

Ormandy shared details of the vulnerability on Twitter:

I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn’t take long to find a critical vulnerability. https://bugs.chromium.org/p/project-zero/issues/detail?id=1481 

 He also posted on the Project Zero page, saying:

I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called “Keeper” is now installed by default. I’m not the only person who has noticed this:

https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/

I assume this is some bundling deal with Microsoft. I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (   issue 917   ). I checked and, they’re doing the same thing again with this version. I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.

Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password.

Having been made aware of the problem, the developers of Keeper issued a patch within 24 hours, saying:

This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a ‘clickjacking’ technique to execute privileged code within the browser extension.

There have been no reports of the vulnerability having been exploited.

Image credit: Maddas / Shutterstock

It’s time to update WordPress

update-wordpress

WordPress 4.9.1 Security and Maintenance Release

WordPress 4.9.1 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team’s ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1:

  1. Use a properly generated hash for the newbloguser key instead of a determinate substring.
  2. Add escaping to the language attributes used on html elements.
  3. Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
  4. Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.

Thank you to the reporters of these issues for practicing responsible security disclosureRahul Pratap Singh and John Blackbourn.

Eleven other bugs were fixed in WordPress 4.9.1. Particularly of note were:

  • Issues relating to the caching of theme template files.
  • A MediaElement JavaScript error preventing users of certain languages from being able to upload media files.
  • The inability to edit theme and plugin files on Windows based servers.

This post has more information about all of the issues fixed in 4.9.1 if you’d like to learn more.

Spearhead Multimedia clients, as well as all Wordpress users, may contact us to perform the update for you.

Is PayPal taking money from you?

PayPal-logo

Those of us who use PayPal enjoy it’s convenience and security but most of us forget about all those agreements we make with vendors.

After firing a vendor I logged into my account to remove any agreements I had with them.  There were five!

I also began reviewing the ACTIVE agreements and was very surprised.  I spent 15 minutes and canceled agreements with CompUSA an TigerDirect, for instance.  It’s just a matter of time before someone snatches their customer data.

If you have an account, it’s easy.

Login to https://paypal.com

Click on PROFILE in the upper right corner, then PROFILE AND SETTINGS

In the grey box in the upper left, click MY MONEY

Choose UPDATE in the MY PREAPPROVED PAYMENTS section and you’ll be taken to your list of vendors who can take your money.

If it’s a long list like mine was, choose ACTIVE under filter and click GO

I knocked mine down from 136 to 13 active.

Many times you’ll see a PayPal charge on your statement and assume it’s a vendor you use regularly.  Although the vendor may be listed in the statement, many times they are not.

I hope this saves you money to spend on holiday fun like websites and Adwords.

Happy Holidays!

 

How Real-Time Translation on Google Pixel Buds Works

google_pixel_buds_bluetooth_earbuds_1

Credit: GoogleCredit: Google

The Pixel Buds offer instant access to Google assistant and offer 5 hours of battery life, but the most intriguing feature is the eal-time translation of 40 different languages. With the feature, you’ll be able to speak to someone in a different language and rely on Google’s Translate to help you get the job done. But as Google’s own support page, and those who have tried out the feature, can attest, it’ll take some legwork to make it happen.

Here’s how to make Google’s real-time translation work with Pixel Buds:

For one thing, you’re going to need a first-generation Pixel or a Pixel 2 phone. All other handsets won’t allow for the real-time translation Google offers with its own line of smartphones. Additionally, you’ll need to have the Google Translate app running on your smartphone.

MORE: Best Smartphones on the Market Now

Now that you’re ready with the correct hardware, you’ll need to activate Google Assistant from the Pixel Buds by pressing the right earbud and saying, “OK, Google, help me speak” followed by the language of your choice. You’ll notice on your phone that Google Translate is now up and ready to help you translate.

If you’re speaking English and the other person is speaking another language, you’ll need to have that person speak into your Pixel or Pixel 2 phone. With Google Translate activated, the other person will speak through the Pixel phone in her or her language and you’ll be talking through the earbuds. Along the way, Google Translate is translating what you’re saying on the fly to each other.

The Google translation feature comes free, as well as Google Translate. But to get it up and running, you’ll need to be living in Google’s ecosystem.

by DON REISINGER 

“Google’s Pixel buds translation will change the world.”