Messages - Steven Avery [ switch to compact view ]

Pages: prev1 ... 12 13 14 15 16 [17] 18 19 20 21 22 ... 206next
81
Good question.  I decided to study this out.  3.3.4 is retired, and may contain a vulnerability.

Here there is some description, starting with an earlier vulnerability in 3.3.2.

LastPass releases fix browser extension security flaws
March 23, 2017
https://www.computerweekly.com/news/450415398/LastPass-releases-fixes-browser-extension-security-flaws
"Users can also update to Firefox 3.3.4, however, as we noted previously, the 3.x version of LastPass will be retired in the coming weeks.”

LastPass has fixed three bugs in the password manager discovered by Google research Tavis Ormandy in the last 24 hours.
March 22, 2017
https://threatpost.com/lastpass-fixes-ormandy-rce-bug-two-outstanding-vulnerabilities-remain/124471/
"LastPass incorporated a fix for that vulnerability into version 3.3.4 of the add-on, released Wednesday morning. Firefox users should be automatically updated to the latest version, Ormandy said."

Discussion of the Ormandy-LastPass interactions:
Threatpost - March 22
LastPass Fixes Three Password Theft Vulnerabilities
https://threatpost.com/lastpass-fixes-ormandy-rce-bug-two-outstanding-vulnerabilities-remain/124471/

=====================

This whole discussion is good, the extract is from the last quote.

LastPass Bug
Bogleheads
April 1, 2017
https://www.bogleheads.org/forum/viewtopic.php?t=215129

MudPuppy
There have been several attacks over the years against browser extensions for LastPass specifically and other password vaults in general. In most cases, this involves somehow fooling the browser extension into thinking you are on XYZ website, when you are actually on ABC website. By using the browser extension to have the convenience of automatically logging in to a site when you visit it, you've opened yourself to the risk that the browser extension is tricked this way.

The simplest solution is to just not use the browser extensions for a password vault. Take the extra 30 seconds to manually cut-and-paste the password from the vault into the website when you want to log in (or the extra minute to manually type it out). Then you don't have to worry about browser extensions being fooled, you just have to worry about you being fooled (e.g. phishing or other social engineering).

========================

Tavis Ormandy on Twitter
https://twitter.com/taviso

========================

While it says there that the problem was in 3.3.2 you have this:

Is Fx extension 3.3.4 affected by the latest vulnerability?
April 7, 2017
https://forums.lastpass.com/viewtopic.php?f=12&t=252675
"YES 3.3.4 is affected"

Not sure if that is true, it may have been an extrapolation from:
"All of your LastPass browser extensions should be updated to version 4.1.44 or higher"
https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/

Pale Moon Forum
PM 27.2.0 not allowing CRITICAL update to LASTPASS
https://forum.palemoon.org/viewtopic.php?t=15223
Try to download 4.1.36a and install it using Moon Tester Tool, but note the warnings and restrictions while doing so! If everything works well I advise you to ask the developers about the official Pale Moon support. All the necessary technical information is here, just add this link to your request.

Major Geeks wonders if 3.3.4 has vulnerabilities
https://forums.majorgeeks.com/threads/password-manager.316936/

Reddit back and forth, how quick was Lastpass, and no clear indication on 3.3.4
https://www.reddit.com/r/programming/comments/621p81/developers_of_the_widely_used_lastpass_password/

Wilders
https://www.wilderssecurity.com/threads/password-manager-discussion.372873/page-13

Mozillazine
https://discourse.mozilla.org/t/why-are-you-serving-a-vulnerable-lastpass-version-3-3-4/15380/6
http://forums.mozillazine.org/viewtopic.php?f=3&t=3029141

A competitor attacks LastPass
https://palant.de/2017/03/23/lastpass-security-done-wrong/

==========================

POSSIBLY 3.3.4 IS VULNERABLE - THIS IS A SECOND THINGY

Security Update for the LastPass Extension
March 27, 2017 - updated March 31
https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/

TavisO finds yet another LP code execution exploit
https://forums.lastpass.com/viewtopic.php?f=6&t=251065&start=10
This may effect 3.3.4.
All of your LastPass browser extensions should be updated to version 4.1.44 or higher

================================

82
FYI:
It does seem that LastPass may be problematic with Pale Moon and similar.  The last one referred to as compatible was 3.3.4 but there is some sort of vulnerability involved. And since this is a delicate area, I will just use LastPass from the Taskbar and/or Desktop capabilities.

83
General Software Discussion / Re: the power of Linkman
« on: July 20, 2019, 05:37 PM »
8.9.9.11 is what I have.  Pretty sure the differences are tiny.

Firefox/PaleMoon is mentioned in Tools->Settings->Browser.

And I had no problem putting it on Pale Moon. You have to use the Legacy .xpi which you download to your disk/desktop whatever and is on the Linkman Firefox extension page.  Then you pick it up with the button in the Pale Moon Extension page that loads an extension from a file.  That is what worked for me on Pale Moon, also Waterforx and Cyberfox, I think. (Lenovo SFF with little on it, so I loaded about 12 browsers for fun.)  It is all the same extension. It would work for Firefox 56 but why bother with Pale Moon handy.  You can identify the browser by using the Tools-Settings-Browser User Defined.  (Or default is good too, for calling.) That is helpful for loading a page from Linkman to the browser, where you have various choices even at the time of loading.

If you use the Quantum .xpi then it will say the file is corrupted and the extension will not load.
The extension will always communicate with the Linkman Drop Basket, just remember that if it is squirrelly you probably initiate the ADD/EDIT from the browser side.

And sometimes you change 80 to 81, port, but on my latest use of a Windows 7 it was not clashing with Skype, dunno why, so I left everything at port 80 for now.

I do go in and out of Pale Moon, Firefox (Quantum and Quantum ESR) and Chrome (regular and Canary). I use Opera for some oddball sign-ons as well, it is my back-door browser. And use the others more on a whim.

Make sense?

84
General Software Discussion / the power of Linkman
« on: July 20, 2019, 07:23 AM »
This was meant as a reply to Cyberdiva on another thread.

Pale Moon as my browser due to the wonderful extensions
https://www.donationcoder.com/forum/index.php?topic=48093.0

However, let's keep it as its own. This has been by far the most valuable program I have used, without any real comparable alternative, imho.

=====================

Linkman gives full support.  And they are pretty robust in having a number of browsers built-in. Hard to find improvements that will bring them from 8.99 to 9.0.  And I have over 100K bookmarks and it works wonderfully.

Once I suggested that they might have an archive feature, where your pages could be kept on your disk, for those that vanish or become 404s. (A decent pct. can then be found in Archive.org. or by Google search.)  They actually were working on it a bit, I think they decided it was too much effort and complication for too little usage.

What a program! It is especially helpful as a research assistant. I group a topic with a keyword (e.g. the "real Nazareth" or "WooCommerce plugin") and when the topic comes up in discussion I quickly have my 5 or 50 urls on the topic, with some notes about what is in that page.  Also with Google books and Archive.org, I line it up in order and give each page of interest a description of what I found there. 

Remember the predecessor, Powermarks :).

85
Thanks.  I am only using latest versions.
Quite a blunder on the PaleMoon people (remember, even CCleaner had a problem, with a current version.)

Semi-tech discussion about WebExtension and URL

Basiliks Browser Drops Webextension Support
https://www.ghacks.net/2019/01/21/basilisk-browser-drops-webextension-support/

Basilisk would be the 4th alternative, but it is very little different than PaleMoon

I added uBlock Origen to these browsers from the LegacyCollector
Also Tab Flick.

Pages: prev1 ... 12 13 14 15 16 [17] 18 19 20 21 22 ... 206next
Go to full version