| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <02d301c33b52$7dd209e0$c516a8c0@palindrome> From: jeremiah at nur.net (Jeremiah Cornelius) Subject: RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow > If a control has a digital > signature, it means that the control has not been > tampered with and is guaranteed to be exactly the same > as when the software publisher created it. C'mon! This is assuming a secure PKI implementation, where you are assured that the Private Key has been maintained securely, and actually used by the party it was issued to. Microsoft's 'Authenticode' has emphatically failed to meet this description, ashas been demonstrated a number of times. The most dramatic with the distribution of compromised components, signed - apparently - by Microsoft (!!) with a legitimate but falsley issued key. All the more disastrous, as MS left out a certificate -revocation mechanism for 'Authenticode!' http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-017.asp -- Jeremiah Cornelius
Powered by blists - more mailing lists