Full Disclosure mailing list archives
Re: Microsoft win2003server phone home
From: Valdis.Kletnieks () vt edu
Date: Mon, 04 Aug 2003 14:42:44 -0400
On Mon, 04 Aug 2003 13:15:26 +0200, martin scherer <memoxyde () monet no> said:
3. Could it be considered as a security risk to let a newly installed server, request information from an arbitrary server that I have no control over ?security in the way that your server might end up getting exploited because of it? no, i dont think so.. security in a way that you might get caught using an illegal copy of a win2003 server? yup.
You *do* realize that windowsupdate.microsoft.com was hit by CodeRed, right? http://www.securityfocus.com/archive/1/198145/2001-07-17/2001-07-23/2 You *do* realize that Apple's 'Software Update' had issues with failing to use PKI to identify the download server, resulting in a possible MITM attack, right? http://www.securityfocus.com/archive/1/280964/2003-04-13/2003-04-19/2 You *do* realize that OpenSSH, Sendmail, tcpdump, and tcp_wrappers have *all* had trojan'ed distributions put on their *official* download site? http://www.cert.org/advisories/CA-2002-30.html http://www.cert.org/advisories/CA-2002-28.html http://www.cert.org/advisories/CA-2002-24.html http://www.cert.org/advisories/CA-1999-01.html Still don't think there's a security risk in downloading an unverified patch from a server not under your control? Closing down *most* of these exposures is why the 'rpm' package manager supports using PGP to sign the packages...
Attachment:
_bin
Description:
Current thread:
- Microsoft win2003server phone home gyrniff (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
- Re: Microsoft win2003server phone home manohar singh (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
- Re: Microsoft win2003server phone home Mike Garegnani (Aug 04)
- Re: Microsoft win2003server phone home Matthew Murphy (Aug 04)
- Re: Microsoft win2003server phone home manohar singh (Aug 04)
- Re: Microsoft win2003server phone home martin scherer (Aug 04)
- Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- RE: Microsoft win2003server phone home Jason Coombs (Aug 04)
- Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
- <Possible follow-ups>
- Re: Microsoft win2003server phone home Orochford (Aug 04)