Security Basics mailing list archives
RE: Operative System Updates
From: Ken Schaefer <Ken () adOpenStatic com>
Date: Fri, 15 Jun 2012 11:01:42 +0000
If OP is concerned about updates/service packs (the latter makes me think Windows) from a vendor, then worrying about MD5 collisions is probably moot. Also, if this is Windows, then any of the application packaging applications (Wise etc.) will do this. They snapshot before/after you make changes, and package everything up for you. Cheers Ken -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jeffrey Walton Sent: Friday, 15 June 2012 7:55 AM To: Dave Kleiman Cc: security-basics () securityfocus com Subject: Re: Operative System Updates On Thu, Jun 14, 2012 at 2:41 PM, Dave Kleiman <dave () davekleiman com> wrote:
haZ, For the files changed portion of your question, you could use something like Log Parser to gather lists of MD5s of files and compare them after. Like if you wanted EXEs in the sys32. logparser "SELECT Path, HASHMD5_FILE(Path) INTO EXE_MD5s.csv FROM C:\Windows\System32\*.exe" -i:FS -recurse:0 -o:csv
No, not MD5. In 2008, researchers set up a rogue CA. They were able to engineer collisions. "MD5 considered harmful today," http://www.win.tue.nl/hashclash/rogue-ca/. CAs responded with, "Past certificates are OK, its only future certificates we need to worry about." So a bunch of certs signed with MD5 continued to live. Mozilla told us (in 2008) they were working with CAs about those certificates: "MD5 Weaknesses Could Lead to Certificate Forgery," http://blog.mozilla.org/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/. But the damn things are still around in 2012: "By default, stop accepting MD5 as a hash algorithm in certificate signatures," https://bugzilla.mozilla.org/show_bug.cgi?id=590364. In 2012, bad guys were able to engineer collisions, too. But in a way that no researcher (that I am aware) took to proof of concept. The chosen prefix collision attacks are one of the reasons why Flame malware stayed under the radar for so long. "Microsoft Sub-CA used in malware signing," http://lists.randombit.net/pipermail/cryptography/2012-June/002961.html. Now that MD5 is more broken (???) - as if just "broken" was not enough - such that an attacker could potentially create a second binary file with an expected hash due to chosen prefix collisions and empty space in binaries, do you really think its suitable as a tripwire? Jeff
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of haZard0us Sent: Thursday, June 14, 2012 13:45 To: security-basics () securityfocus com Subject: Operative System Updates Hi all, I need to create a script that gathers information of the OS before and after the updates in order to detect changes and which updates/service packs were used. To be honest, I really don't know where to start. So, my question is which information should i gather in order to detect correctly which files were changed and which updates were used. Thanks in advance.
Current thread:
- Operative System Updates haZard0us (Jun 14)
- Re: Operative System Updates Littlefield, Tyler (Jun 14)
- RE: Operative System Updates Dave Kleiman (Jun 14)
- Re: Operative System Updates Andrew Cummings (Jun 14)
- Re: Operative System Updates Jeffrey Walton (Jun 14)
- RE: Operative System Updates Ken Schaefer (Jun 15)
- Fwd: Operative System Updates Michael Rawson (Jun 14)
- RE: Operative System Updates Morey, Adam (Jun 15)