Critical Vulnerability Discovered in Windows 10 Pre-installed Password Manager
Recent findings reveal a significant security flaw in a commonly bundled password manager app, “Keeper,” that is shipped with some Windows 10 systems. As part of the Windows 10 Anniversary Update (Version 1607), Microsoft implemented the Content Delivery Manager, which allows for the silent installation of applications without user consent. This change has raised concerns among cybersecurity experts regarding user safety and consent in software deployment.
Tavis Ormandy, a researcher from Google’s Project Zero, detected the Keeper application on his system after downloading Windows 10 from the Microsoft Developer Network. Shortly after, he discovered a critical vulnerability that could allow malicious websites to access stored passwords. This flaw poses a grave risk, effectively compromising the security mechanism that Keeper is designed to provide.
The concern over Keeper isn’t isolated to Ormandy’s findings; reports from Reddit users and other online platforms indicate that the app has caught many by surprise, with instances of it being pre-installed on various Windows 10 environments, including virtual machines.
The implications of the vulnerability are serious. According to Ormandy, it allows for the “complete compromise of Keeper security,” enabling any website to potentially harvest user passwords stored within the application. Ormandy emphasized the gravity of this issue on social media, referencing similar vulnerabilities he identified in earlier versions of Keeper, underscoring a troubling pattern in the app’s security architecture.
To demonstrate the flaw, Ormandy provided proof-of-concept exploits that could extract sensitive information, including a user’s Twitter credentials. In response to these findings, Keeper’s developers acknowledged the flaw and have since introduced a patch in version 11.4, specifically addressing the vulnerability by removing the risky “add to existing” functionality.
It is important to note that until users manually enable Keeper and utilize it to store passwords, they may not be exposed to the threat. Microsoft, however, faces scrutiny regarding the approach taken with the installation of third-party applications without explicit user consent, stirring a broader conversation about transparency in software delivery.
Despite the absence of reports indicating that this vulnerability has been actively exploited, it remains imperative for businesses leveraging Windows 10 to be vigilant about the tools running on their systems. The incident illustrates the types of adversary tactics that may align with the MITRE ATT&CK framework, specifically concerning initial access through software bundling, alongside risks associated with persistence and privilege escalation within the application environment.
For organizations keen to mitigate future risks, Microsoft users are advised to disable the Content Delivery Manager through a registry modification to prevent unwanted software from being silently installed, thereby enhancing their overall security posture. As cybersecurity threats continue to evolve, this incident serves as a reminder of the critical need for vigilance and proactive management of software on enterprise systems.