RE: Microsoft win2003server phone home

["Jason Coombs" <jasonc () science org>]

> Closing down *most* of these exposures is why the 'rpm' package manager
> supports using PGP to sign the packages...

You *do* realize that digital signatures can be forged with theft of private
keys, right?

You *do* realize that Microsoft deployed a bunch of PKI code that accepts
arbitrary certificate chains and allows any certificate, even an End Entity
certificate, to be used as an intermediate CA certificate for the purpose of
issuing new arbitrary certificates including those that are used to digitally
sign code, right?

You *do* realize that CAs made serious mistakes in the past, including issuing
authentic certificates to unauthorized people (VeriSign) and issuing End
Entity certificates without the End Entity bit present (Thawte, FreeSSL.com,
others), right?

You *do* realize that bugs may exist in rpm's client socket routines that
would allow remote-exploitable buffer overflows to be mounted by a MITM,
right?

And surely you *must* realize that we can spend days making lists of known
threats and *still* fail to identify *all* possible threats.

No communication that crosses organizational boundaries should *ever* be
automated. Least of all code updates.

Jason Coombs
jasonc () science org

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of
Valdis.Kletnieks () vt edu
Sent: Monday, August 04, 2003 8:43 AM
To: martin scherer
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Microsoft win2003server phone home


On Mon, 04 Aug 2003 13:15:26 +0200, martin scherer <memoxyde () monet no>  said:

> > 3.  Could it be considered as a security risk to let a newly installed
server,
> > request information from an arbitrary server that I have no control over ?
> security in the way that your server might end up getting exploited because
> of it?
> no, i dont think so..
> security in a way that you might get caught using an illegal copy of a
> win2003 server?
> yup.

You *do* realize that windowsupdate.microsoft.com was hit by CodeRed, right?
http://www.securityfocus.com/archive/1/198145/2001-07-17/2001-07-23/2

You *do* realize that Apple's 'Software Update' had issues with failing to use
PKI
to identify the download server, resulting in a possible MITM attack, right?
http://www.securityfocus.com/archive/1/280964/2003-04-13/2003-04-19/2

You *do* realize that OpenSSH, Sendmail, tcpdump, and tcp_wrappers have *all*
had
trojan'ed distributions put on their *official* download site?
http://www.cert.org/advisories/CA-2002-30.html
http://www.cert.org/advisories/CA-2002-28.html
http://www.cert.org/advisories/CA-2002-24.html
http://www.cert.org/advisories/CA-1999-01.html

Still don't think there's a security risk in downloading an unverified patch
from
a server not under your control?

Closing down *most* of these exposures is why the 'rpm' package manager
supports using PGP to sign the packages...




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html