A popular security vulnerability applicationThe recently disclosed KeePass 2 affects all its versions password manager, but only if automatic software updates are enabled.
The KeePass 2 application has the ability to periodically check for program updates. Although checks for new updates are carried out indefinitely, if the feature is enabled, downloading and installing updates automatically is not supported.
Let's see what happens: The KeePass app contacts a service to check if an update is available. Users can then click to view the updated one version, και εφόσον υπάρχει διαθέσιμη ενημέρωση θα ανοίξει μια σελίδα στο Internet που διαθέτει το αρχείο για λήψη.
Vulnerability takes advantage of the fact that KeePass 2 distributes updates via HTTP rather than HTTPS. An attacker could take advantage of the fact by withholding requests for information, for example on a local network, by sending false information to the KeePass 2 client to make users open an internet site where a malicious version of the KeePass.
KeePass developer will not fix the problem, according to the report.
How to protect yourself:
Those of you using KeePass have one option to disable updates for updates.
Open the KeePass 2 software on your system.
Choose Tools> Options from the menu
On the Advanced tab in the options window, uncheck "Check for KeePass Updates on Startup."
The downside is that you need to find a way to get informed about new updates. You can visit the application's website for this, or register with the KeePass RSS Feed if you are using an RSS reader.
