Tavis Ormandy, a security researcher for Google, has managed to find yet another flaw in the LastPass password manager.
Ormandy has reported several critical security flaws in the password manager during the past week, and this weekend he has managed to discover a new one. “I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way,” he stated in his tweet.
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy
— Tavis Ormandy (@taviso) March 25, 2017
This member of Google’s Project Zero security team is already well known for his abilities to locate and report serious vulnerabilities in many widely used services, and even in the password manager that was supposed to be safe.
The comment from LastPass states that the flaw is “unique and highly sophisticated.” So far, they have not shared any details that could be exploited before fixing is complete, but this is the second weekend in a row that LastPass security team is on a bug fixing duty. They thanked Tavis and others like him for reporting these sort of problems and helping them make online security even better for the rest of their users.
We are aware of a new report by @taviso and are investigating the issue now. Please stay tuned.
— LastPass (@LastPass) March 25, 2017
Not everyone was happy about Ormandy’s newest twitter news. Some even called him on sharing the news about the latest bug problem, believing that his actions only cause fear and uncertainty. What they fail to realize is that all services have to face vulnerabilities from time to time, and all of them get patched up as soon as they are discovered. Most if not all online services have had their fair share of security issues, and most of them managed to get discovered and fixed by people like Ormandy.
I fail to see what harm comes from fixing vulnerabilities. It seems like a huge net positive for everyone.
— Tavis Ormandy (@taviso) March 25, 2017
Ormandy states that the mere existence of a bug was not a big deal and that he did not specify in his tweet what the flaw was, or given any instructions on how to exploit it. So it is safe to say that the accusations about Ormandy’s act could not be any further from the truth.
It is known that many companies have a 90-day disclosure rule set for this sort of situations. Regardless of the seriousness of the discovered bug, the services have to patch things up within this timeframe, and pointing the vulnerabilities online can give that much urgency to creating a fix.
The patch for this newest LastPass flaw has not yet been built, but the security update on their blog states that the fix is being made and that further updates will be provided once the patch is completed.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.