Re: Microsoft win2003server phone home

[Valdis.Kletnieks () vt edu]

On Mon, 04 Aug 2003 13:15:26 +0200, martin scherer <memoxyde () monet no>  said:

> > 3.  Could it be considered as a security risk to let a newly installed server,
> > request information from an arbitrary server that I have no control over ?
> security in the way that your server might end up getting exploited because
> of it?
> no, i dont think so..
> security in a way that you might get caught using an illegal copy of a
> win2003 server?
> yup.

You *do* realize that windowsupdate.microsoft.com was hit by CodeRed, right?
http://www.securityfocus.com/archive/1/198145/2001-07-17/2001-07-23/2

You *do* realize that Apple's 'Software Update' had issues with failing to use PKI
to identify the download server, resulting in a possible MITM attack, right?
http://www.securityfocus.com/archive/1/280964/2003-04-13/2003-04-19/2

You *do* realize that OpenSSH, Sendmail, tcpdump, and tcp_wrappers have *all* had
trojan'ed distributions put on their *official* download site?
http://www.cert.org/advisories/CA-2002-30.html
http://www.cert.org/advisories/CA-2002-28.html
http://www.cert.org/advisories/CA-2002-24.html
http://www.cert.org/advisories/CA-1999-01.html

Still don't think there's a security risk in downloading an unverified patch from
a server not under your control?

Closing down *most* of these exposures is why the 'rpm' package manager
supports using PGP to sign the packages...

Attachment: _bin
Description: