Full Disclosure mailing list archives
RE: Microsoft win2003server phone home
From: "Jason Coombs" <jasonc () science org>
Date: Mon, 4 Aug 2003 10:37:20 -1000
Closing down *most* of these exposures is why the 'rpm' package manager supports using PGP to sign the packages...
You *do* realize that digital signatures can be forged with theft of private keys, right? You *do* realize that Microsoft deployed a bunch of PKI code that accepts arbitrary certificate chains and allows any certificate, even an End Entity certificate, to be used as an intermediate CA certificate for the purpose of issuing new arbitrary certificates including those that are used to digitally sign code, right? You *do* realize that CAs made serious mistakes in the past, including issuing authentic certificates to unauthorized people (VeriSign) and issuing End Entity certificates without the End Entity bit present (Thawte, FreeSSL.com, others), right? You *do* realize that bugs may exist in rpm's client socket routines that would allow remote-exploitable buffer overflows to be mounted by a MITM, right? And surely you *must* realize that we can spend days making lists of known threats and *still* fail to identify *all* possible threats. No communication that crosses organizational boundaries should *ever* be automated. Least of all code updates. Jason Coombs jasonc () science org -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Valdis.Kletnieks () vt edu Sent: Monday, August 04, 2003 8:43 AM To: martin scherer Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Microsoft win2003server phone home On Mon, 04 Aug 2003 13:15:26 +0200, martin scherer <memoxyde () monet no> said:
3. Could it be considered as a security risk to let a newly installed
server,
request information from an arbitrary server that I have no control over ?security in the way that your server might end up getting exploited because of it? no, i dont think so.. security in a way that you might get caught using an illegal copy of a win2003 server? yup.
You *do* realize that windowsupdate.microsoft.com was hit by CodeRed, right? http://www.securityfocus.com/archive/1/198145/2001-07-17/2001-07-23/2 You *do* realize that Apple's 'Software Update' had issues with failing to use PKI to identify the download server, resulting in a possible MITM attack, right? http://www.securityfocus.com/archive/1/280964/2003-04-13/2003-04-19/2 You *do* realize that OpenSSH, Sendmail, tcpdump, and tcp_wrappers have *all* had trojan'ed distributions put on their *official* download site? http://www.cert.org/advisories/CA-2002-30.html http://www.cert.org/advisories/CA-2002-28.html http://www.cert.org/advisories/CA-2002-24.html http://www.cert.org/advisories/CA-1999-01.html Still don't think there's a security risk in downloading an unverified patch from a server not under your control? Closing down *most* of these exposures is why the 'rpm' package manager supports using PGP to sign the packages... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Microsoft win2003server phone home gyrniff (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
- Re: Microsoft win2003server phone home manohar singh (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
- Re: Microsoft win2003server phone home Mike Garegnani (Aug 04)
- Re: Microsoft win2003server phone home Matthew Murphy (Aug 04)
- Re: Microsoft win2003server phone home manohar singh (Aug 04)
- Re: Microsoft win2003server phone home martin scherer (Aug 04)
- Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- RE: Microsoft win2003server phone home Jason Coombs (Aug 04)
- Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
- <Possible follow-ups>
- Re: Microsoft win2003server phone home Orochford (Aug 04)