A researcher has discovered that Microsoft has begun to bundle a third-party password manager with some versions of Windows 10 that included a critical vulnerability.
Google Project Zero researcher, Tavis Ormandy found the bug after installing a Windows 10 image on a virtual machine. The operating system was downloaded directly from the Microsoft Developer Network and came pre-installed with Keeper password manager.
The third-party software prompted Ormandy to install a browser plugin containing a flaw that would make it possible for malicious websites to steal user passwords. Ormandy detailed his findings in a blog post, saying:
“This is a complete compromise of Keeper security, allowing any website to steal any password.”
The Keeper team has since patched the exploit and users with updated software should not be affected unless they enabled the browser plugin.
Microsoft has often touted the improved security features of Windows 10 and its first-party apps and software undergo rigorous security tests. However, it could be the case that third-party software is not tested in the same manner which is why security analysts are often hesitant over manufacturers bundling other companies' software with their products.
Image Credit: Anton Watman / Shutterstock