Latest in Gear

Image credit:

Windows 10 included password manager with huge security hole

Or, why bundling third-party apps can create risks.
Jon Fingas, @jonfingas
December 16, 2017
Share
Tweet
Share

Sponsored Links

Edgar Alvarez/Engadget

There's a good reason why security analysts get nervous about bundled third-party software: it can introduce vulnerabilities that the companies can't control. And Microsoft, unfortunately, has learned that the hard way. Google researcher Tavis Ormandy discovered that a Windows 10 image came bundled with a third-party password manager, Keeper, which came with a glaring browser plugin flaw -- a malicious website could steal passwords. Ormandy's copy was an MSDN image meant for developers, but Reddit users noted that they received the vulnerable copy of Keeper after clean reinstalls of regular copies and even a brand new laptop.

A Microsoft spokesperson told Ars Technica that the Keeper team had patched the exploit (in response to Ormandy's private disclosure), so it shouldn't be an issue if your software is up to date. Also, you were only exposed if you enabled the plugin.

However, the very existence of the hole has still raised a concern: are Microsoft's security tests as thorough for third-party apps as its own software? The company has declined to comment, but that kind of screening may prove crucial if Microsoft is going to maintain the trust of Windows users. It doesn't matter how secure Microsoft's code is if a bundled app undermines everything.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

iPhone 12 and 12 Pro review: Apple enters the 5G era

iPhone 12 and 12 Pro review: Apple enters the 5G era

View
LG's rollable OLED TV goes on sale for $87,000

LG's rollable OLED TV goes on sale for $87,000

View
Google adds Nest Secure to its list of discontinued projects

Google adds Nest Secure to its list of discontinued projects

View
LG's latest 55-inch CX OLED smart TV is $500 off at Amazon

LG's latest 55-inch CX OLED smart TV is $500 off at Amazon

View
Apple will reportedly add 5G support for iPhone 12 in dual SIM mode

Apple will reportedly add 5G support for iPhone 12 in dual SIM mode

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr