Plugin for Win 10 version of Keeper had bug allowing sites to steal passwords.
There is a good reason why nervous about 3rd-party software bundled by security analysts: It can introduce vulnerabilities that the companies can not control. And Microsoft, unfortunately, is the hardest way that to learn. Google researcher Tavis Ormandy found that a Windows 10 image arrived bundled with a 3rd-party password manager, Keeper. Which came with a glaring browser plugin flaw — a malicious site can steal passwords. Ormandy’s copy was an MSDN image meant for developers. But Reddit users noted that they got the vulnerable copy of Keeper after clean reinstalls of regular copies and even a brand new laptop.
The Microsoft spokesperson said that Ars Technica the Keeper team had patched the exploit (in response to Ormandy’s private disclosure). So it should not be a problem if your software is up to date. Also, you were only exposed if you have the plugin enabled.
However, the very existence of the hole has still raised a concern. Is Microsoft use full security as its own software for 3rd-party applications?. The company has refused to comment, but that kind of screening may prove crucial if Microsoft is going to maintain the trust of Windows users. It does not matter how secure Microsoft’s software is if a bundled app undermines everything.
