Message-ID: <200308041842.h74IgkQI007384@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Microsoft win2003server phone home 

On Mon, 04 Aug 2003 13:15:26 +0200, martin scherer <memoxyde@...et.no>  said:

> > 3.  Could it be considered as a security risk to let a newly installed server,
> > request information from an arbitrary server that I have no control over ?
> security in the way that your server might end up getting exploited because
> of it?
> no, i dont think so..
> security in a way that you might get caught using an illegal copy of a
> win2003 server?
> yup.

You *do* realize that windowsupdate.microsoft.com was hit by CodeRed, right?
http://www.securityfocus.com/archive/1/198145/2001-07-17/2001-07-23/2

You *do* realize that Apple's 'Software Update' had issues with failing to use PKI
to identify the download server, resulting in a possible MITM attack, right?
http://www.securityfocus.com/archive/1/280964/2003-04-13/2003-04-19/2

You *do* realize that OpenSSH, Sendmail, tcpdump, and tcp_wrappers have *all* had
trojan'ed distributions put on their *official* download site?
http://www.cert.org/advisories/CA-2002-30.html
http://www.cert.org/advisories/CA-2002-28.html
http://www.cert.org/advisories/CA-2002-24.html
http://www.cert.org/advisories/CA-1999-01.html

Still don't think there's a security risk in downloading an unverified patch from
a server not under your control?

Closing down *most* of these exposures is why the 'rpm' package manager
supports using PGP to sign the packages...



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030804/2cd5efa4/attachment.bin

Powered by blists - more mailing lists