Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow

From: "Jeremiah Cornelius" <jeremiah () nur net>
Date: Wed, 25 Jun 2003 12:46:37 -0700
If a control has a digital
signature, it means that the control has not been
tampered with and is guaranteed to be exactly the same
as when the software publisher created it.


C'mon!  This is assuming a secure PKI implementation, where you are assured
that the Private Key  has been maintained securely, and actually used by the
party it was issued to.   Microsoft's 'Authenticode'  has emphatically
failed to meet this description, ashas been demonstrated a number of times.
The most dramatic with the distribution of compromised components, signed -
apparently - by Microsoft (!!) with a legitimate but falsley issued key.
All the more disastrous, as MS left out a certificate -revocation mechanism
for 'Authenticode!'

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-017.asp

--
Jeremiah Cornelius


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: