Ormandy has reported Vulnerability-related.DiscoverVulnerability several critical security flaws in the password manager during the past week , and this weekend he has managed to discover Vulnerability-related.DiscoverVulnerability a new one . “ I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43 . Full report and exploit on the way , ” he stated in his tweet . Ah-ha , I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. pic.twitter.com/vQn20D9VCy — Tavis Ormandy ( @ taviso ) March 25 , 2017 This member of Google ’ s Project Zero security team is already well known for his abilities to locate and report Vulnerability-related.DiscoverVulnerability serious vulnerabilities in many widely used services , and even in the password manager that was supposed to be safe . The comment from LastPass states that the flaw is “ unique and highly sophisticated ” . So far , they have not shared any details that could be exploited Vulnerability-related.DiscoverVulnerability before fixing Vulnerability-related.PatchVulnerability is complete , but this is the second weekend in a row that LastPass security team is on a bug fixing Vulnerability-related.PatchVulnerability duty . They thanked Tavis and others like him for reporting Vulnerability-related.DiscoverVulnerability these sort of problems and helping them make online security even better for the rest of their users . Not everyone was happy about Ormandy ’ s newest twitter news . Some even called him on sharing Vulnerability-related.DiscoverVulnerability the news about the latest bug problem , believing that his actions only cause fear and uncertainty . What they fail to realize Vulnerability-related.DiscoverVulnerability is that all services have to face vulnerabilities from time to time , and all of them get patched up Vulnerability-related.PatchVulnerability as soon as they are discovered Vulnerability-related.DiscoverVulnerability . Most if not all online services have had their fair share Vulnerability-related.DiscoverVulnerability of security issues , and most of them managed to get discovered Vulnerability-related.DiscoverVulnerability and fixed Vulnerability-related.PatchVulnerability by people like Ormandy .

On Friday , a cache of hacking tools allegedly developed by the US National Security Agency was dumped online . The news was explosive in the digital security community because the tools contained methods to hack computers running Windows , meaning millions of machines could be at risk . Security experts who tested the tools , leaked by a group called the Shadow Brokers , found that they worked . They were panicked : This is really bad , in about an hour or so any attacker can download simple toolkit to hack into Microsoft based computers around the globe . — Hacker Fantastic ( @ hackerfantastic ) April 14 , 2017 But just hours later , Microsoft announced that many of the vulnerabilities were addressed Vulnerability-related.PatchVulnerability in a security update released Vulnerability-related.PatchVulnerability a month ago . “ Today , Microsoft triaged a large release of exploits made publicly available by Shadow Brokers , ” Philip Misner , a Microsoft executive in charge of security wrote in a blog post . “ Our engineers have investigated the disclosed exploits , and most of the exploits are already patched Vulnerability-related.PatchVulnerability . ” Misner ’ s post showed that three of nine vulnerabilities from the leak were fixed Vulnerability-related.PatchVulnerability in a March 14 security update . As Ars Technica pointed out , when security holes are discovered Vulnerability-related.DiscoverVulnerability , the individual or organization that found Vulnerability-related.DiscoverVulnerability them is usually credited in the notes explaining the update . No such acknowledgment was found in the March 14 update . Here ’ s a list of acknowledgments for 2017 , showing credit for finding security problems in almost every update . One theory among security practitioners is that the NSA itself reported Vulnerability-related.DiscoverVulnerability the vulnerabilities to Microsoft , knowing that the tools would be dumped publicly . Microsoft told ZDNet that it might not list individuals who discover Vulnerability-related.DiscoverVulnerability flaws for a number of reasons , including by request from the discoverer . The US government has not commented on this leak , though previous leaks by the Shadow Brokers claiming to be NSA hacking tools were confirmed at least in part by affected vendors and NSA whistleblower Edward Snowden .