Bugtraq mailing list archives
Re: MS signed softwrare privileges
From: smb () RESEARCH ATT COM (Steven M. Bellovin)
Date: Wed, 23 Feb 2000 20:15:09 -0500
In message <Pine.GSO.4.20.0002221939500.8993-100000 () ultra1 inconnect com>, Dax Kelson writes:
However (playing devil's advocate), you've trusted Microsoft to silently execute "any code" on your machine at least once before by installing their closed-source operating system, and that is a massive amount of unaudited code.
Yes and no. First, as Juan's original note pointed out, this creates risks from MS software you didn't install. Second, and perhaps more important, anyone who has ever administered a production system knows that you *don't* do updates, even "harmless" ones, on production systems without testing *in your environment*, and you *never* do them at critical periods. The ability for someone else to update my system is completely unacceptable, even without any security issues whatsoever. --Steve Bellovin
Current thread:
- MS signed softwrare privileges cuartango () TELELINE ES (Feb 22)
- Re: MS signed softwrare privileges Dax Kelson (Feb 22)
- Re: MS signed softwrare privileges Bob Fiero (Feb 22)
- <Possible follow-ups>
- Re: MS signed softwrare privileges Steven M. Bellovin (Feb 23)
- Re: MS signed softwrare privileges Microsoft Product Security Response Team (Feb 23)
- Re: MS signed softwrare privileges Simple Nomad (Feb 24)
- BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Ben Greenbaum (Feb 25)