A security researcher called Tavis Ormandy found a zero day affecting LastPass, a popular password vault, meaning millions of users may be at risk until the problem is patched. Security experts from Lieberman Software and AlienVault commented below:
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“One thing that’s interesting about the LastPass zero-day hole is that it proves they are likely using a good dose of their own medicine. LastPass is about protecting credentials. Nearly every story you see hitting the headlines and bad guys breaking in these days involves some form of stolen credentials. If that was the issue at LastPass, then it would be very bad. However, a zero-day hole like this is something that pops up in nearly every piece of software eventually – especially one as widely used and distributed as LastPass. It only means they are not perfect, but really who is?”
Javvad Malik, Security Advocate at AlienVault:
“History has shown us, no software, not even password managers are immune to security attacks. While the details of this particular bug are unknown, it does appear it requires a user to visit a malicious website in order to be executed. Part of the defenses includes users remaining vigilant and not clicking on unknown or suspect links as this could enable any number of exploits to be launched.
“Furthermore, monitoring password use, logins, and attempted change of details can serve as good early indicators that attempts have been made to compromise an account – so proactive action can be taken.”