Security patch distribution - it's trojan time

[InfoSec News <isn () C4I ORG>]

http://www.theregister.co.uk/content/4/15618.html

By: John Leyden
Posted: 20/12/2000 at 18:16 GMT

The way operating system vendors issue security patches is insecure,
in many cases, and could let crackers exploit this to trick users into
loading trojan horses onto their systems.

Security firm BindView, whose Razor team of security researchers
completed the research, questioned 27 different vendors of commonly
used products on whether patches are accompanied by digital signatures
or other forms of cryptographic authentication. Its findings,
available in full here, are a real eye-opener because they highlight
glaring security gaps, not least that a minority of vendors, including
Apple and Compaq, provide no authentication for their patches.

"A number of the vendors (including some Fortune 500 companies) do not
offer patch authentication via any cryptographic method. This can make
it very difficult for customers to verify that they have obtained a
correct patch rather than a trojan horse," said Matt Power, of
BindView's Razor security team.

"A trojan-horse patch might be stored on the vendor's server if that
server were compromised by intruders," he added, a risk that has to be
taken more seriously given the recent hack of Microsoft's network, and
the defacement of web sites of security vendor Network Associates.

Power added that even if a vendor's server is not compromised,
well-known weaknesses in Internet protocols can be exploited to
deliver a trojan-horse patch to users.

Interestingly the research threw up an admission by Microsoft's
Security Response Center that "no more than several thousand people
have downloaded our PGP key". This means that only a very small number
of users are checking the authenticity of bulletins.

Richard Stagg, senior security architect at Information Risk
Management, said getting people to install trojan horses through
deceiving people into believing they were security updates was "a
standard hacking technique" which was "an extension of social
engineering".

Attacks based on subverting security patches were not common, because
they are difficult to arrange, but could potentially be "very bad" and
extend into the inclusion of trojan horses into software available on
CD-ROMs.

"Vendors have a duty to provide security patches, a pre-requisite to
which is that there must be a straightforward method to validate the
content. Its naive for vendors to expects users to automatically check
patches," said Stagg.

"If it takes time to verify patches the instinct of most people will
be to just grab a file and install it," he added.

[BindView's report:
http://razor.bindview.com/publish/papers/os-patch.html ]

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".