Once on a malicious website, Ormandy demonstrated how an attacker could make calls into LastPass applciation programming interfaces (APIs) or, in some cases, run arbitrary code, while appearing as a trusted party.ĭoing so would allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials. To exploit the reported vulnerabilities, LastPass said an attacker would first have to lure a user to a malicious website. Is 90 days enough time for software suppliers to address vulnerabilities?.Microsoft says it continues to support responsible disclosure of security vulnerabilities after a researcher went public with a zero-day vulnerability.Security researchers have praised Facebook’s WhatsApp cross-platform messenger service for its quick response to a vulnerability disclosure.Users can check the version of their extension by clicking the LastPass logo in the browser, clicking “More options” and then “About LastPass”. LastPass said most users will update automatically but the latest versions can be downloaded here. The company also said no master password change is required and no site credential passwords need to be changed, but urged users to ensure they had the latest versions of browser extensions. The second vulnerability in the Firefox extension was related to the first one and has been fixed in the latest version: 4.1.36a.Īccording to LastPass, its investigation to date has not indicated that any sensitive user data was lost or compromised.Īll extensions have been patched and are being re-released to users, the company said in a blog post, adding that the LastPass mobile apps for Android and iOS were not affected. Ormandy said if the extension’s binary component is installed, attackers could have used the “openattach” command to run arbitrary code on the computer but, according to LastPass, this would have affected less than 10% of users. The vulnerable commands were the ones used by the browser extension to copy passwords or fill in web forms using information stored in the user’s secure vault. The vulnerability could have given attackers access to internal commands inside the LastPass extension, according to the Google Project Zero bug report. The security flaw affected the LastPass browser extensions for Google Chrome, Mozilla Firefox and Microsoft Edge. The first vulnerability, discovered by Google security researcher Tavis Ormandy, could have allowed attackers to steal users’ passwords or execute malicious code on their computers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |