Microsoft forced users to install a password manager with a critical flaw

James Marshall
December 17, 2017

Fortunately, Windows 10 users wouldn't have been vulnerable unless they opened Keeper, trusted it with their passwords, and used the browser plugin. "I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default", he said.

Making matters worse is that the security issue was already discovered a year ago.

For nearly two weeks, Microsoft quietly forced some Windows 10 computers to install a password manager with a browser plugin that contained a critical vulnerability nearly identical to one disclosed 16 months ago that allows websites to steal passwords, a researcher said Friday. The third-party Keeper password manager that comes pre-installed in some Windows 10 versions has a security flaw and it's similar to a vulnerability that the researcher discovered in August 2016.

The third-party Keeper password manager was bundled with Windows 10 downloads from the Microsoft Developer Network.

Lurey said the company was not aware of any attacks using this flaw, nor have customers reported any security incidents where the bug might have been to blame.

This issue underlines a bigger problem that deals with pre-installed bloatware with Windows 10.

Ormandy even noted that he felt that he was being generous when he gave the 90-day disclosure deadline for the security issue, as it was not a new one at all.

The issue affects the Keeper browser extension version 11.3. He said it affected only version 11 of the app, which was released on December 6, and then only when a user had the accompanying browser plugin installed.

While this may not be a serious issue, it focuses attention towards Microsoft's initial software testing before a public rollout.

Ormandy is part of Project Zero, an elite team of security researcher working for Google.

Microsoft is one of those developers that prefer to include a lot of third-party apps with their genuine copies of Windows 10.

Other reports by Click Lancashire

Discuss This Article