81
General Software Discussion / Re: Pale Moon as my browser due to the wonderful extensions
« on: July 22, 2019, 06:03 AM »
Good question. I decided to study this out. 3.3.4 is retired, and may contain a vulnerability.
Here there is some description, starting with an earlier vulnerability in 3.3.2.
LastPass releases fix browser extension security flaws
March 23, 2017
https://www.computerweekly.com/news/450415398/LastPass-releases-fixes-browser-extension-security-flaws
"Users can also update to Firefox 3.3.4, however, as we noted previously, the 3.x version of LastPass will be retired in the coming weeks.”
LastPass has fixed three bugs in the password manager discovered by Google research Tavis Ormandy in the last 24 hours.
March 22, 2017
https://threatpost.com/lastpass-fixes-ormandy-rce-bug-two-outstanding-vulnerabilities-remain/124471/
"LastPass incorporated a fix for that vulnerability into version 3.3.4 of the add-on, released Wednesday morning. Firefox users should be automatically updated to the latest version, Ormandy said."
Discussion of the Ormandy-LastPass interactions:
Threatpost - March 22
LastPass Fixes Three Password Theft Vulnerabilities
https://threatpost.com/lastpass-fixes-ormandy-rce-bug-two-outstanding-vulnerabilities-remain/124471/
=====================
This whole discussion is good, the extract is from the last quote.
LastPass Bug
Bogleheads
April 1, 2017
https://www.bogleheads.org/forum/viewtopic.php?t=215129
MudPuppy
There have been several attacks over the years against browser extensions for LastPass specifically and other password vaults in general. In most cases, this involves somehow fooling the browser extension into thinking you are on XYZ website, when you are actually on ABC website. By using the browser extension to have the convenience of automatically logging in to a site when you visit it, you've opened yourself to the risk that the browser extension is tricked this way.
The simplest solution is to just not use the browser extensions for a password vault. Take the extra 30 seconds to manually cut-and-paste the password from the vault into the website when you want to log in (or the extra minute to manually type it out). Then you don't have to worry about browser extensions being fooled, you just have to worry about you being fooled (e.g. phishing or other social engineering).
========================
Tavis Ormandy on Twitter
https://twitter.com/taviso
========================
While it says there that the problem was in 3.3.2 you have this:
Is Fx extension 3.3.4 affected by the latest vulnerability?
April 7, 2017
https://forums.lastpass.com/viewtopic.php?f=12&t=252675
"YES 3.3.4 is affected"
Not sure if that is true, it may have been an extrapolation from:
"All of your LastPass browser extensions should be updated to version 4.1.44 or higher"
https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/
Pale Moon Forum
PM 27.2.0 not allowing CRITICAL update to LASTPASS
https://forum.palemoon.org/viewtopic.php?t=15223
Try to download 4.1.36a and install it using Moon Tester Tool, but note the warnings and restrictions while doing so! If everything works well I advise you to ask the developers about the official Pale Moon support. All the necessary technical information is here, just add this link to your request.
Major Geeks wonders if 3.3.4 has vulnerabilities
https://forums.majorgeeks.com/threads/password-manager.316936/
Reddit back and forth, how quick was Lastpass, and no clear indication on 3.3.4
https://www.reddit.com/r/programming/comments/621p81/developers_of_the_widely_used_lastpass_password/
Wilders
https://www.wilderssecurity.com/threads/password-manager-discussion.372873/page-13
Mozillazine
https://discourse.mozilla.org/t/why-are-you-serving-a-vulnerable-lastpass-version-3-3-4/15380/6
http://forums.mozillazine.org/viewtopic.php?f=3&t=3029141
A competitor attacks LastPass
https://palant.de/2017/03/23/lastpass-security-done-wrong/
==========================
POSSIBLY 3.3.4 IS VULNERABLE - THIS IS A SECOND THINGY
Security Update for the LastPass Extension
March 27, 2017 - updated March 31
https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/
TavisO finds yet another LP code execution exploit
https://forums.lastpass.com/viewtopic.php?f=6&t=251065&start=10
This may effect 3.3.4.
All of your LastPass browser extensions should be updated to version 4.1.44 or higher
================================
Here there is some description, starting with an earlier vulnerability in 3.3.2.
LastPass releases fix browser extension security flaws
March 23, 2017
https://www.computerweekly.com/news/450415398/LastPass-releases-fixes-browser-extension-security-flaws
"Users can also update to Firefox 3.3.4, however, as we noted previously, the 3.x version of LastPass will be retired in the coming weeks.”
LastPass has fixed three bugs in the password manager discovered by Google research Tavis Ormandy in the last 24 hours.
March 22, 2017
https://threatpost.com/lastpass-fixes-ormandy-rce-bug-two-outstanding-vulnerabilities-remain/124471/
"LastPass incorporated a fix for that vulnerability into version 3.3.4 of the add-on, released Wednesday morning. Firefox users should be automatically updated to the latest version, Ormandy said."
Discussion of the Ormandy-LastPass interactions:
Threatpost - March 22
LastPass Fixes Three Password Theft Vulnerabilities
https://threatpost.com/lastpass-fixes-ormandy-rce-bug-two-outstanding-vulnerabilities-remain/124471/
=====================
This whole discussion is good, the extract is from the last quote.
LastPass Bug
Bogleheads
April 1, 2017
https://www.bogleheads.org/forum/viewtopic.php?t=215129
MudPuppy
There have been several attacks over the years against browser extensions for LastPass specifically and other password vaults in general. In most cases, this involves somehow fooling the browser extension into thinking you are on XYZ website, when you are actually on ABC website. By using the browser extension to have the convenience of automatically logging in to a site when you visit it, you've opened yourself to the risk that the browser extension is tricked this way.
The simplest solution is to just not use the browser extensions for a password vault. Take the extra 30 seconds to manually cut-and-paste the password from the vault into the website when you want to log in (or the extra minute to manually type it out). Then you don't have to worry about browser extensions being fooled, you just have to worry about you being fooled (e.g. phishing or other social engineering).
========================
Tavis Ormandy on Twitter
https://twitter.com/taviso
========================
While it says there that the problem was in 3.3.2 you have this:
Is Fx extension 3.3.4 affected by the latest vulnerability?
April 7, 2017
https://forums.lastpass.com/viewtopic.php?f=12&t=252675
"YES 3.3.4 is affected"
Not sure if that is true, it may have been an extrapolation from:
"All of your LastPass browser extensions should be updated to version 4.1.44 or higher"
https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/
Pale Moon Forum
PM 27.2.0 not allowing CRITICAL update to LASTPASS
https://forum.palemoon.org/viewtopic.php?t=15223
Try to download 4.1.36a and install it using Moon Tester Tool, but note the warnings and restrictions while doing so! If everything works well I advise you to ask the developers about the official Pale Moon support. All the necessary technical information is here, just add this link to your request.
Major Geeks wonders if 3.3.4 has vulnerabilities
https://forums.majorgeeks.com/threads/password-manager.316936/
Reddit back and forth, how quick was Lastpass, and no clear indication on 3.3.4
https://www.reddit.com/r/programming/comments/621p81/developers_of_the_widely_used_lastpass_password/
Wilders
https://www.wilderssecurity.com/threads/password-manager-discussion.372873/page-13
Mozillazine
https://discourse.mozilla.org/t/why-are-you-serving-a-vulnerable-lastpass-version-3-3-4/15380/6
http://forums.mozillazine.org/viewtopic.php?f=3&t=3029141
A competitor attacks LastPass
https://palant.de/2017/03/23/lastpass-security-done-wrong/
==========================
POSSIBLY 3.3.4 IS VULNERABLE - THIS IS A SECOND THINGY
Security Update for the LastPass Extension
March 27, 2017 - updated March 31
https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/
TavisO finds yet another LP code execution exploit
https://forums.lastpass.com/viewtopic.php?f=6&t=251065&start=10
This may effect 3.3.4.
All of your LastPass browser extensions should be updated to version 4.1.44 or higher
================================