Re: [Full-Disclosure] RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow

• Previous message: Treu, Jill: "RE: [Full-Disclosure] CD-ROM drive opens"
• In reply to: Cesar: "Re: [Full-Disclosure] RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow"
• Next in thread: Cesar: "Re: [Full-Disclosure] RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Cesar" <cesarc56@yahoo.com>, <full-disclosure@lists.netsys.com>
Date: Wed, 25 Jun 2003 12:46:37 -0700

> If a control has a digital
> signature, it means that the control has not been
> tampered with and is guaranteed to be exactly the same
> as when the software publisher created it.

C'mon! This is assuming a secure PKI implementation, where you are assured
that the Private Key has been maintained securely, and actually used by the
party it was issued to. Microsoft's 'Authenticode' has emphatically
failed to meet this description, ashas been demonstrated a number of times.
The most dramatic with the distribution of compromised components, signed -
apparently - by Microsoft (!!) with a legitimate but falsley issued key.
All the more disastrous, as MS left out a certificate -revocation mechanism
for 'Authenticode!'

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-017.asp

--
Jeremiah Cornelius
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Treu, Jill: "RE: [Full-Disclosure] CD-ROM drive opens"
• In reply to: Cesar: "Re: [Full-Disclosure] RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow"
• Next in thread: Cesar: "Re: [Full-Disclosure] RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]