Re: This Patch IS Signed (MS02-052, Q329077)
From: B. Goodman (no@spam.org)
Date: 09/27/02
- Next message: Joe: "Virus Masquerading as Microsoft Security Patch?!"
- Previous message: Eric Schultze [Shavlik]: "This Patch IS Signed (MS02-052, Q329077)"
- In reply to: Eric Schultze [Shavlik]: "This Patch IS Signed (MS02-052, Q329077)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: B. Goodman <no@spam.org> Date: Fri, 27 Sep 2002 14:52:37 -0400
In article <#vy#ULlZCHA.2256@tkmsftngp10>, eric@shavlik.com says...
> The JVM Patch is signed. Please download the patch - use the WindowsUpdate
> catalog function to locate and download the patch without installing it. it
> will get placed in a directory like so:
> \Software\en\com_microsoft.windows2000\x86win2k\com_microsoft.Q329077_VM_UPD
> _5710
>
> right click the exe (vm-sfix3.exe) and View Properties. There should be a
> digital signatures tab. This means the file is signed. If the file was
> corrupted during download, the digital signatures tab will not appear.
>
> OR
>
> Go to the command line and run sigverif.exe, click advanced, and choose to
> scan the path where the file exists. It will show one file (a .URL file)
> that is unsigned. This means the patch itself is signed.
>
> ------------
> I believe the issues you are seeing may be in regard to something else.
> Please read Mark Burnett's lengthy discussion of patch signature vs. signed
> driver here:
> http://archives.neohapsis.com/archives/sf/ms/2002-q1/0455.html
>
> --
> Eric Schultze
> Director of Product Research and Development
> Shavlik Technologies LLC
> news.shavlik.com
>
>
> "B. Goodman" <no@spam.org> wrote in message
> news:MPG.17fe5d70b600beee9896ac@msnews.microsoft.com...
> > OK, has anybody found that the Java VM patch is NOT digitally signed by
> > Microsoft? You know, it is a nuisance silently installing this on Win2K
> > machines that are set to disallow or warn of unsigned drivers and/or
> > software.
> >
> > Why would "Trustworthy" Microsoft not spend the few minutes required to
> > digitally sign ANY PATCH THEY CREATE?
> >
> > (On the other hand, in some small way it's pretty funny that MS will
> > warn you not to trust their software. That's an opinion shared by more
> > people every day!)
>
>
>
Sir:
Thank you for the Burnett article. The download DID have a digital
signature. Shame on me for believing Microsoft's warning about its own
software:
Digital Signature Not Found
The Microsoft digital signature affirms that software has been
tested with Windows and that the software has not been altered
since it was tested.
The software you are about to install does not contain a Microsoft
digital signature. Therefore, there is no guarantee that this
software works correctly with Windows.
Unknown software package
If you want to search for Microsoft digitally signed software,
visit the Windows Update Web site at....
So, there's no shame on Microsoft for not digitally signing their file.
However, it would seem that the whole signature business they have
implemented is complicated and runs the risk of providing the user
incorrect information. Sounds trustworthy to me. Which brings me back
to my original position of "Shame on Microsoft."
Thanks for your help!
- Next message: Joe: "Virus Masquerading as Microsoft Security Patch?!"
- Previous message: Eric Schultze [Shavlik]: "This Patch IS Signed (MS02-052, Q329077)"
- In reply to: Eric Schultze [Shavlik]: "This Patch IS Signed (MS02-052, Q329077)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
