Re: Microsoft Security Bulletin MS01-018 -- BAD SIGNATURE?

[Caskey <caskey () TECHNOCAGE COM>]

On Mar 27, Microsoft Product Security quoth:

> Title:      Visual Studio VB-TSQL Object Contains Unchecked Buffer

I have been unable to verify the signature on this advisory as broadcast
to the bugtraq list no matter how I try.  Just to be sure I didn't
suddenly start doing things different, I went back and re-verified all the
other Microsoft advisories for the month of March in the exact same manner
and they all checked out.

I followed the link included in the invalid advisory
<http://www.microsoft.com/technet/security/bulletin/MS01-018.asp>.  It of
course *appears* to be a valid advisory but if appearances are all we rely
upon that more or less makes the whole signing exercise a waste of time.

As paypaI taught us, appearances can be deceiving and the possibility of
an attacker placing content on a vendor's website is not beyond
imagination.  The patch that is linked to is a plain EXE, the scenario of
a bogus advisory with trojaned patch would be an interesting vector to say
the least. One that is complicated by the fact that many vendors do not
publish checksums of patches in the signed component of their advisories
(microsoft included).  Neither does Microsoft serve up their patches via
SSL.

That said, after verifying that it was, in fact, microsoft's website, I
then looked for some link to the original signed advisory.  I must admit
this search was somewhat half-hearted as I fully did not expect to find
it.  From what I can discover being an irregular user of the technet site,
Microsoft does not publish text copies of their signed advisories in their
technet/security/bulletin pages.

In an attempt to see if it was only my copy that was broken somehow by my
MTA, I went to the archives at security focus, hoping to locate a clean
copy there <http://www.securityfocus.com/archive/1/171951>. Unfortunately
there is no way to download a 'raw' copy of a message for verification.
While HTML-ification is an obviously useful feature, the lack of a link to
the original message makes it impossible for us to verify the signatures.

My questions:

Is this a legitimate advisory?

Does anyone posess a valid, signed copy of this advisory?

Am I being unreasonable in expecting advisories published by Microsoft (or
any vendor) to be signed? (consistently)

Would the maintainer of the securityfocus archive consider allowing access
to verifiable copies of the messages in the archive?

C=)

--------------------------------------------------------------------------
If you want to build a ship, don't drum up people together to collect wood
 and don't assign them tasks and work, but rather teach them to long for
     the endless immensity of the sea. -- Antoine de Saint Exupery
--------------------------------------------------------------------------
Caskey <caskey*technocage.com>       ///                   TechnoCage Inc.
--------------------------------------------------------------------------
  It's not an optical illusion, it just looks like one.  -- Phil White