Security Incidents mailing list archives
Re: strange software > winsupdater.exe
From: Valdis.Kletnieks () vt edu
Date: Thu, 17 Mar 2005 13:20:57 -0500
On Thu, 17 Mar 2005 03:08:14 PST, Harlan Carvey said:
However, you _can_ get a warm fuzzy if the file has the MS file version information compiled into it.
And you verify the authenticity of your warm fuzzy how, exactly? const char MS_version[] = "bogus MS file version info goes here"; (Remember - we've already had major worms that crafted a totally bogus "X-Virus: scanned by" header claiming a real AV had scanned it....)
That warm fuzzy can be increased if the file is digitally signed by MS.
First, go back and re-read http://www.cert.org/advisories/CA-2001-04.html Second, remember that you're worried that the machine is compromised - and you're asking it to verify the signature. Again, if the box is compromised, the DLL that verifies signatures could be backdoored as well. This is why you *really* need to boot from a known-clean CD and verify the signatures from there.
Attachment:
_bin
Description:
Current thread:
- RE: Pubstro rash, (continued)
- RE: Pubstro rash Alexandre Skyrme (Mar 17)
- Re: Pubstro rash Jeff Kell (Mar 18)
- RE: Pubstro rash David Gillett (Mar 18)
- Re: strange software > winsupdater.exe Valdis . Kletnieks (Mar 17)
- Re: strange software > winsupdater.exe Nick FitzGerald (Mar 17)
- Administrivia: Re: strange software > winsupdater.exe Daniel Hanson (Mar 28)