Full Disclosure mailing list archives
Re: RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow
From: "Jeremiah Cornelius" <jeremiah () nur net>
Date: Wed, 25 Jun 2003 12:46:37 -0700
If a control has a digital signature, it means that the control has not been tampered with and is guaranteed to be exactly the same as when the software publisher created it.
C'mon! This is assuming a secure PKI implementation, where you are assured that the Private Key has been maintained securely, and actually used by the party it was issued to. Microsoft's 'Authenticode' has emphatically failed to meet this description, ashas been demonstrated a number of times. The most dramatic with the distribution of compromised components, signed - apparently - by Microsoft (!!) with a legitimate but falsley issued key. All the more disastrous, as MS left out a certificate -revocation mechanism for 'Authenticode!' http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-017.asp -- Jeremiah Cornelius _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow Jason Coombs (Jun 24)
- Re: RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow Cesar (Jun 25)
- Re: RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow Jeremiah Cornelius (Jun 25)
- Re: RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow Cesar (Jun 30)
- Re: RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow Cesar (Jun 25)