Vendor remains silent over buffer overflow vulnerability

An estimated 20,000 people who have downloaded Handy Password, a password manager and autofill tool, have been urged to stop using the software, after a security researcher identified a critical vulnerability that could give an attacker full control over their device.

The flaw, which was spotted by Tempest Security Intelligence researcher Filipe Xavier, affects the password manager’s Open from Mailbox feature, which allows users to access their credentials from a remote mail server.

Xavier discovered that Handy Password does not validate the number of characters in the Title Name field at the time of its import.

To exploit the flaw, an attacker could manipulate a password file by inserting a specific combination of characters in the name field or, in another scenario, the attacker could send a fake file which would be processed by Handy Password, causing the same problem.

“It’s possible to trigger the buffer overflow remotely if the user opens a malicious database file through the Open from Mailbox function,” said Xavier. “In this case, an attacker can execute arbitrary code remotely.”

Available for Windows 2000, XP, 2003, Vista, and 7, the current version of Handy Password (4.9.3) was released in May 2011, and it’s understood that the software has received no updates since this time.

The severity of the flaw is tempered by the fact that ‘remote’ in this context means remote code execution on the TPM component. To mount the attack, local host access is still required.

However, the password manager has received an estimated 20,000 downloads since its launch, and Xavier urged customers to discontinue their use of the product until the vulnerability is patched.

“The first recommendation is to urgently stop the use of Handy Password until a security version is released,” Xavier told The Daily Swig. “For users who still wish to use the Handy Password, my advice is to always check the hash of your database file.”

Xavier alerted the software vendor, Novosoft, to the RCE vulnerability on October 19, and once again in November. The company did not respond to his messages, nor a subsequent request for comment from The Daily Swig.