Microsoft just recently rolled out Patch Tuesday updates for December 2017, but there’s already another exploit that needs to be patched.Thanks to a vulnerability in Keeper, a third-party password management application that comes bundled with new versions of Windows 10, many Windows 10 users’ passwords are now vulnerable. What’s worse? This vulnerability was already identified 16 months ago.
A closer look at the Keeper vulnerability
The Windows 10 anniversary update (version 1607) adds a new feature called Content Delivery Manager, which bypasses the user’s permission and silently installs applications. This is how Keeper was installed on many Windows 10 systems. Many users are still waiting for Microsoft to explain why a third-party password manager like Keeper is being installed on their computers without their consent.
Tavis Ormnady, a researcher at Google Project Zero, reported a similar exploit for a non-bundled version of Keeper over a year ago. While testing this third-party password manager, Ormnady found a critical vulnerability that lets attackers take down Keeper’s security and steal all the passwords stored within it.
Keeper was bundled in Windows systems through Content Delivery Manager on December 6th, even though, at the time, Keeper had still not patched this earlier vulnerability. He clarified that the bundled version’s vulnerability is basically the same as the one he reported in August 2016. He has also provided a proof-of-concept (PoC) by demonstrating the attack on Twitter, as shown below.
Update released for Keeper
After Ormnady’s report, Keeper has fixed this vulnerability by releasing version 11.4, an update that removes the “add to existing” functionality. This vulnerability affects version 11 of Keeper only, while other versions remain safe. Version 11 was rolled out on December 6th of this year as a major browser extension update.
If you haven’t opened Keeper and enabled it to store passwords, then you’re safe from the vulnerability. If you have used Keeper, you’ll want to follow the steps below to resolve the vulnerability as soon as possible
How to resolve this Keeper vulnerability
There are three ways to resolve this issue:
1. Prevent this password breach by updating Keeper to the latest version (11.4).
2. Modify your registry to disable Microsoft’s Content Delivery Manager feature using the registry tweak below.
Windows Registry Editor Version 5.00
;0 = No Disable
;1 = Yes Enable (Default)
3. To resolve this for your entire network of Windows 10 systems, you can use Desktop Central’s package template option, which allows you to execute this registry tweak on all your targeted computers from one location, using a single deployment procedure.
You can check out our template options for yourself before you decide to download Desktop Central.