It has not been a good couple of weeks for LastPass. In a previous post, I mentioned several bugs that impacted the LastPass password manager. In fairness, LastPass acted quickly to issue a workaround for one of the vulnerabilities, which is what you would expect from vendors, but don't often see. After quickly addressing the first round of vulnerabilities, Tavis Ormandy, a researcher with Google's Project Zero team, identified a new vulnerability. As reported by ars technica, "When people have the LastPass binary running, the vulnerability allows malicious websites to execute code of their choice. Even when the binary isn't present, the flaw can be exploited in a way that lets malicious sites steal passwords from the protected LastPass vault."
LastPass issued a post with its current recommendation to deal with the exposed vulnerability. The suggestions are good for any password manager and include launching site access from within the password manager, enabling two-factor authentication and being wary of phishing attacks. Sounds like common sense to me, which apparently is severely lacking in today's users.
E-mail: firstname.lastname@example.org Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology