A recently disclosed security vulnerability in the popular KeePass 2 app affects all versions of it password manager, but only if automatic software updates are enabled.
The KeePass 2 application has the ability to periodically check for program updates. Although checks for new updates are performed continuously, as long as the mode, automatic download and installation of updates is not supported.
Let's see what happens: The KeePass app communicates with a service to check if an update is available. Users can then click to see the update, and if an update is available, it will open an Internet page that has the file for download.
Vulnerability takes advantage of the fact that KeePass 2 distributes updates via HTTP rather than HTTPS. An attacker could exploit the fact by intercepting update requests, for example on a local network, στέλνοντας ψευδείς πληροφορίες ενημέρωσης στο KeePass 2 client, για να κάνει τους χρήστες να ανοίξουν μια by clicking here online, where a malicious version of KeePass is available for download.
KeePass developer will not fix the problem, according to the report.
How to protect yourself:
Those of you using the KeePass app have one option, to disable them controls for updated versions.
Open the KeePass 2 software on your system.
Choose Tools> Options from the menu
On the Advanced tab in the options window, uncheck "Check for KeePass Updates on Startup."
The downside is that you need to find a way to get informed about new updates. You can visit the application's website for this, or register with the KeePass RSS Feed if you are using an RSS reader.
