We are aware of reports of a Firefox add-on vulnerability. It took a few days but the company confirmed it was aware of a vulnerability that affected a Firefox add-on, presumably the same issue Ormandy raised to the company, on Tuesday night. Firefox users should be automatically updated to the latest version, Ormandy said. LastPass incorporated a fix for that vulnerability into version 3.3.4 of the add-on, released Wednesday morning. Only affects version on (3.3.2), report on way.
:strip_exif()/i/2004856364.jpeg "lastpass addon for firefox 43.0")
Wrote a quick exploit for another LastPass vulnerability.
Ormandy warned last Wednesday of a third vulnerability that affected version 3.3.2 of LastPass’ Firefox add-on, posting a redacted screenshot of the exploit code: The researcher said that on its own, the bug could allow for the access of internal privileged RPCs, something that could in turn allow “complete control of the LastPass extension, including stealing passwords.” If a user had Binary Component installed, an attacker could use “openattach” to run arbitrary code. RCE if you use the "Binary Component", otherwise can steal pwds. Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). The researcher said he discovered the bug, which affects version 4.1.42 of the service on Chrome and Firefox, after noticing an entry in the service’s websiteconnector.js content script that can proxy unauthenticated window messages to the extension. While the exploit was written to work without prompts, he said on Twitter, it could be adapted to work on other platforms such as Linux. Ormandy sent details of an exploit he wrote for the vulnerability, just two lines of JavaScript, to LastPass on Monday. In a blog entry on Wednesday morning the company confirmed the vulnerability existed in all LastPass clients, Chrome, Firefox, and Edge, and stemmed from “an experimental user onboarding feature” that was released. We will provide additional details on our blog soon. The issue reported by Tavis Ormandy has been resolved. We are aware of the report by and our team has put a workaround in place while we work on a resolution. The company said on Twitter it resolved the bug later that morning and that it was working on a blog post to recap additional details around the vulnerability.
#Lastpass addon for firefox 43.0 code#
LastPass, for its part, acknowledged Ormandy’s remote code execution bug early Tuesday morning and said it had put a workaround in place. Little was known about the vulnerability, other than that it existed in version 4.1.35, until early Wednesday morning when LastPass released 4.1.36a to address the issue.Īccording to the Project Zero bug tracker report, the LastPass for Firefox vulnerability was similar to the remote code execution bug, Ormandy claims, because the browser loads content scripts into error pages, which could let an attacker run arbitrary script to read back a user’s password. Ormandy first disclosed the LastPass for Firefox vulnerability in a since-deleted tweet on Tuesday night, warning it could allow the theft of passwords for any domain. Very quick response from LastPass, < 24hr. Ormandy disclosed bug reports for the last two vulnerabilities on Wednesday and commended the company for the fast fixes.
One of the issues, a remote code execution vulnerability that could have enabled the proxying of internal Remote Procedure Call (RPC) commands, was fixed Tuesday morning.įixes for two other vulnerabilities, including one in LastPass’ Firefox add-on and another in LastPass for Firefox, were pushed Wednesday morning.
#Lastpass addon for firefox 43.0 password#
Engineers at LastPass fixed three different vulnerabilities in the password manager over the last 24 hours, all discovered by Google Project Zero researcher Tavis Ormandy, which could have allowed for the theft of passwords.
0 kommentar(er)
