lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: jasonc at science.org (Jason Coombs)
Subject: Microsoft win2003server phone home 

> Closing down *most* of these exposures is why the 'rpm' package manager
> supports using PGP to sign the packages...

You *do* realize that digital signatures can be forged with theft of private
keys, right?

You *do* realize that Microsoft deployed a bunch of PKI code that accepts
arbitrary certificate chains and allows any certificate, even an End Entity
certificate, to be used as an intermediate CA certificate for the purpose of
issuing new arbitrary certificates including those that are used to digitally
sign code, right?

You *do* realize that CAs made serious mistakes in the past, including issuing
authentic certificates to unauthorized people (VeriSign) and issuing End
Entity certificates without the End Entity bit present (Thawte, FreeSSL.com,
others), right?

You *do* realize that bugs may exist in rpm's client socket routines that
would allow remote-exploitable buffer overflows to be mounted by a MITM,
right?

And surely you *must* realize that we can spend days making lists of known
threats and *still* fail to identify *all* possible threats.

No communication that crosses organizational boundaries should *ever* be
automated. Least of all code updates.

Jason Coombs
jasonc@...ence.org

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of
Valdis.Kletnieks@...edu
Sent: Monday, August 04, 2003 8:43 AM
To: martin scherer
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Microsoft win2003server phone home


On Mon, 04 Aug 2003 13:15:26 +0200, martin scherer <memoxyde@...et.no>  said:

> > 3.  Could it be considered as a security risk to let a newly installed
server,
> > request information from an arbitrary server that I have no control over ?
> security in the way that your server might end up getting exploited because
> of it?
> no, i dont think so..
> security in a way that you might get caught using an illegal copy of a
> win2003 server?
> yup.

You *do* realize that windowsupdate.microsoft.com was hit by CodeRed, right?
http://www.securityfocus.com/archive/1/198145/2001-07-17/2001-07-23/2

You *do* realize that Apple's 'Software Update' had issues with failing to use
PKI
to identify the download server, resulting in a possible MITM attack, right?
http://www.securityfocus.com/archive/1/280964/2003-04-13/2003-04-19/2

You *do* realize that OpenSSH, Sendmail, tcpdump, and tcp_wrappers have *all*
had
trojan'ed distributions put on their *official* download site?
http://www.cert.org/advisories/CA-2002-30.html
http://www.cert.org/advisories/CA-2002-28.html
http://www.cert.org/advisories/CA-2002-24.html
http://www.cert.org/advisories/CA-1999-01.html

Still don't think there's a security risk in downloading an unverified patch
from
a server not under your control?

Closing down *most* of these exposures is why the 'rpm' package manager
supports using PGP to sign the packages...





Powered by blists - more mailing lists