As noted in the report, “an isolated world is a JavaScript execution environment that shares the same DOM ( Document Object Model) as other worlds, but things like variables and functions are not shared. This client-side vulnerability in the LastPass browser extensions was caused by the way LastPass behaves in “isolated worlds”.
Uninstalling is not required to download the updated version. Most users should be updated automatically, but the latest versions can always be downloaded at. Check the LastPass extension icon > More options > About LastPass for your version number. All of your LastPass browser extensions should be updated to version 4.1.44 or higher. Our mobile apps for Android, iOS, and Windows Phones were not affected. All extensions have now been updated with the fix and submitted to the extension stores. This requires a per-user attack that must be executed through the user’s local browser. Exploiting required luring a user to a malicious website (through phishing, spearphishing, or other attack), or to a trusted website running malicious adware. This was a client-side vulnerability in the LastPass browser extensions and could be exploited to steal data and manipulate the LastPass extension. Please note, due to the nature of the vulnerability, this postmortem is highly technical. Now that the issue is resolved, we want to provide a postmortem to our community on what the report entailed and how we are building a better, more secure LastPass going forward. 
Please ensure you are running the latest version (4.1.44 or higher), which can always be downloaded at.
Most users will be updated automatically. On Saturday, March 25th, security researcher Tavis Ormandy from Google’s Project Zero reported a security finding related to the LastPass browser extensions. In the last 24 hours, we’ve released an update which we believe fixes the reported vulnerability in all browsers and have verified this with Tavis himself.
0 kommentar(er)
