The flaw that Ormandy discovered on March 20 in the LastPass Chrome extension (version 4.1.42.80) was found in an intermediary JavaScript script that stands between the browser extension and LastPass? cloud service, where your password vault is stored. This bug could allow an attacker to steal your passwords as the vault is accessed.
If you had the ?binary component? installed, it would have allowed arbitrary code execution, too. The binary component for the LastPass browser extension contains additional convenience features such as enabling fingerprint authentication support, exporting and importing data, and much more.
Ormandy put together a proof of concept in which he showed that the ?calc.exe? application could be started remotely on Windows via that LastPass extension vulnerability. According to a recent LastPass post, the bug affected all versions of the extension (Chrome, Firefox, Edge, and Safari). The company said this bug was addressed--apparently via workaround, rather than a complete fix--hours after it was reported.
Another vulnerability was reported for Firefox on March 21. This bug seems to affect version 4.1.35a of the Firefox extension, and the company said the flaw is ?largely the same? to the one reported the previous day. However, instead of addressing the Firefox extension's issue via the same workaround used for the previous bug, LastPass decided to wait until a full fix was ready. The company said it released version 4.1.36a of its extension for Firefox to fix the reported issue at 12:15am ET today.
LastPass added that it has no knowledge of the vulnerabilities being exploited in the wild and that it plans to release a more comprehensive summary of the events soon.
Reply With Quote
Bookmarks