Bugtraq mailing list archives
Re: Microsoft Security Bulletin MS01-018 -- BAD SIGNATURE?
From: Caskey <caskey () TECHNOCAGE COM>
Date: Wed, 28 Mar 2001 06:34:03 -0800
On Mar 27, Microsoft Product Security quoth:
Title: Visual Studio VB-TSQL Object Contains Unchecked Buffer
I have been unable to verify the signature on this advisory as broadcast to the bugtraq list no matter how I try. Just to be sure I didn't suddenly start doing things different, I went back and re-verified all the other Microsoft advisories for the month of March in the exact same manner and they all checked out. I followed the link included in the invalid advisory <http://www.microsoft.com/technet/security/bulletin/MS01-018.asp>. It of course *appears* to be a valid advisory but if appearances are all we rely upon that more or less makes the whole signing exercise a waste of time. As paypaI taught us, appearances can be deceiving and the possibility of an attacker placing content on a vendor's website is not beyond imagination. The patch that is linked to is a plain EXE, the scenario of a bogus advisory with trojaned patch would be an interesting vector to say the least. One that is complicated by the fact that many vendors do not publish checksums of patches in the signed component of their advisories (microsoft included). Neither does Microsoft serve up their patches via SSL. That said, after verifying that it was, in fact, microsoft's website, I then looked for some link to the original signed advisory. I must admit this search was somewhat half-hearted as I fully did not expect to find it. From what I can discover being an irregular user of the technet site, Microsoft does not publish text copies of their signed advisories in their technet/security/bulletin pages. In an attempt to see if it was only my copy that was broken somehow by my MTA, I went to the archives at security focus, hoping to locate a clean copy there <http://www.securityfocus.com/archive/1/171951>. Unfortunately there is no way to download a 'raw' copy of a message for verification. While HTML-ification is an obviously useful feature, the lack of a link to the original message makes it impossible for us to verify the signatures. My questions: Is this a legitimate advisory? Does anyone posess a valid, signed copy of this advisory? Am I being unreasonable in expecting advisories published by Microsoft (or any vendor) to be signed? (consistently) Would the maintainer of the securityfocus archive consider allowing access to verifiable copies of the messages in the archive? C=) -------------------------------------------------------------------------- If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea. -- Antoine de Saint Exupery -------------------------------------------------------------------------- Caskey <caskey*technocage.com> /// TechnoCage Inc. -------------------------------------------------------------------------- It's not an optical illusion, it just looks like one. -- Phil White
Current thread:
- Microsoft Security Bulletin MS01-018 Microsoft Product Security (Mar 28)
- Re: Microsoft Security Bulletin MS01-018 -- BAD SIGNATURE? Caskey (Mar 28)