![]() The question: Was somebody of you affected? I received feedback from German blog readers, who found Keeper on their Windows 10 system after upgrading to Fall Creators Update.There's a good reason why security analysts get nervous about bundled third-party software: it can introduce vulnerabilities that the companies can't control. But I haven't downloaded MSDN ISO images yet. I haven't found the app on my test system – updated via Windows Insider program. Due to the fact, that the Content Delivery Manager has been introduced since Anniversary Update, Woody Leonhard mentioned, that the (potential) risk occurs since 16 months. ![]() Dan Goodin from Arstechnica wrote, that Windows 10 has been bundled and shipped for 8 day with this critical vulnerarbility. Tavis Ormandy informed Keeper about the vulnerability, and the developers released immediately a fix (as you can read within the this Keeper blog post). Tavis linked to the demo page keepertest, that phishes a Twitter account password. This is a complete compromise of Keeper security, allowing any website to steal any password. He inspected the new Keeper password manager app, preinstalled in Windows 10, and found the same vulnerability. Tavis remembered that Keeper have had a security problems in the past, because they are injecting privileged UI elmentes into web pages. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works. I checked and, they're doing the same thing again with this version. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (issue 917). I assume this is some bundling deal with Microsoft. I'm not the only person who has noticed this I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default. Google's security researcher Tavis Ormandy also observed after installing a fresh copy of Windows 10, that suddenly the Keeper password manager app has been installed. The article explains how to block this Content Delivery Manager using registry settings. It now appears to silently install new apps for you without asking for any kind of confirmation.Īfter I spotted a few new apps after upgrading to the Anniversary Update (not immediately, a few hours later), I decided to take a closer look at this. With the Windows 10 Anniversary Update, Microsoft added a new feature to the Content Delivery Manager, a component of the OS which is also used for Windows Spotlight and app suggestions. The author of this article observed an obscure behavior during upgrading to Windows 10 Anniversary Update. At somebody posted a link to this article. The Windows 10 Content Delivery ManagerĪt this time it's not clear, whether the Keeper app was included within the Windows 10 install image or if it was installed afterward. One user wrote, that he has uninstalled the app 3 times, but it got re-installed again. I guess Windows 10 Enterprise isn't affected. At other users reported within the thread, that the app has been shipped with Windows 10 Home and with Windows 10 Pro. The case has been documented with the screen shot above. (Keeper-Passwort-Manager in Windows 10 – Source: ) I've never seen this come installed with Windows before.Īnd this isn't a link to install it like some of the other apps, it's actually installed and opens. I just reinstalled Windows 10 today, and I was uninstalling all the bundled apps like usual, and I noticed that Keeper Password Manager is preinstalled now. When installing Windows 10 from various Microsoft image files (the exact way this app was shipped) isn't yet clear – I didn't find the apps on my test systems – but some German blog reader confirmed the presence of the app) it seems, that the app Keeper was preinstalled. But now, it seems, that Microsoft's approach, to roll out (mostly unwanted) third party app to Windows 10 went terrible wrong. Microsoft ships a lot of (rubbish) preinstalled apps with Windows 10.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |