|
Full Disclosure
mailing list archives
Re: Microsoft win2003server phone home
From: Valdis.Kletnieks () vt edu
Date: Mon, 04 Aug 2003 14:42:44 -0400
On Mon, 04 Aug 2003 13:15:26 +0200, martin scherer <memoxyde () monet no> said:
3. Could it be considered as a security risk to let a newly installed server,
request information from an arbitrary server that I have no control over ?
security in the way that your server might end up getting exploited because
of it?
no, i dont think so..
security in a way that you might get caught using an illegal copy of a
win2003 server?
yup.
You *do* realize that windowsupdate.microsoft.com was hit by CodeRed, right?
http://www.securityfocus.com/archive/1/198145/2001-07-17/2001-07-23/2
You *do* realize that Apple's 'Software Update' had issues with failing to use PKI
to identify the download server, resulting in a possible MITM attack, right?
http://www.securityfocus.com/archive/1/280964/2003-04-13/2003-04-19/2
You *do* realize that OpenSSH, Sendmail, tcpdump, and tcp_wrappers have *all* had
trojan'ed distributions put on their *official* download site?
http://www.cert.org/advisories/CA-2002-30.html
http://www.cert.org/advisories/CA-2002-28.html
http://www.cert.org/advisories/CA-2002-24.html
http://www.cert.org/advisories/CA-1999-01.html
Still don't think there's a security risk in downloading an unverified patch from
a server not under your control?
Closing down *most* of these exposures is why the 'rpm' package manager
supports using PGP to sign the packages...
Attachment:
_bin
Description:
 By Date 
By Thread
Current thread:
|
Intro
