Zero-day flaw leaves LastPass vulnerable to attack [UPDATE: it's fixed]
A Google Project Zero hacker has discovered a zero-day vulnerability in the password manager LastPass that could lead to accounts being completely compromised.
The security flaw can be triggered by visiting a malicious website, and it has been confirmed to be an issue by white hat security researcher Tavis Ormandy. He has filed a full report to LastPass with a view to getting the vulnerability patched.
Google relaxes Project Zero bug disclosure policy after Microsoft complaints
Google managed to ruffle a few feathers recently by disclosing bugs and security problems in widely used software. Project Zero is used to encourage companies to fix issues that have been detected by imposing a 90-day deadline before details of the vulnerabilities are made public.
Microsoft was angered a month ago when Google published details of a security issue in Windows 8.1 just a few days before a patch was due to be released. A few days later, two more bugs were revealed leading to complaints not just from Microsoft but from software users. Now Google has backed down and announced a slight relaxing of its previously strict 90-day disclosure policy.
Google announces Project Zero, aims to protect users from attack
Not many days pass without security being in the news in some form or another. Most of that news isn't good either. Services being attacked through vectors like DDoS, gaping holes in software that many people use everyday -- hello, Adobe and Java.
Now Google is taking its own steps to try and protect users. The company has already implemented SSL for many of its services, but the latest push is against zero-day vulnerabilities.