Full Disclosure mailing list archives

Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin

From: Andrew Clover <and () doxdesk com>
Date: Wed, 29 Oct 2003 15:59:16 +0000

Nick FitzGerald <nick () virus-l demon co uk> wrote:

Does their AUP/ToS/etc require that their certs not be used for such
things??


I believe - and I haven't seen the agreement myself - that it says the
signer's code may not be 'malicious'.

This is of course difficult to define. If the software installs
underhandedly, pops up porn and leaks browing habits, but its primary
purpose is to make money for the attacker rather than the malice of
causing harm to user, does it count as malicious?

Ownership of a certificate simply means that someone stumped up the
cash (for a Thawte code signing cert that is about US$100/year) and the
CA was "suitably convinced" that they really were (or genuinely
represented) who they said they were (or represented).


Indeed. Unfortunately the "identity" is expressed as an arbitrary
string which is of no use to anyone. There's a little further information
in the cert, which the ActiveX download process does not allow to be
shown, but not nearly enough to track down the real authors and hold them
to account.

an Authenticode "all clear" means that if you were stupid enough to
"trust" (in the big sense) a piece of signed code the CA can help you
locate the rat-bag who signed it should you want to fry their balls...


Unfortunately this has turned out not to be the case with Thawte at least,
who refused to disclose details for miscreants like the infamous Xupiter.

That Autheticode has been "sold" (and worse, accepted by some) as anything
else but a poor-man's excuse for "nothing much" is somewhere between really
sad and criminal...


Quite agree. And of course half the pages that use ActiveX downloads promote
this with text claiming that Authenticode guarantees the code's safety.

-- 
Andrew Clover
mailto:and () doxdesk com
http://www.doxdesk.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

[Bogus] Microsoft AuthenticodeT webcam viewer plugin morning_wood (Oct 28)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 28)
  - Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Lan Guy (Oct 29)
    - Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 29)
    - Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Valdis . Kletnieks (Oct 29)
  - Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Andrew Clover (Oct 29)
    - Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 29)
    - Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Andrew Clover (Oct 29)
    - Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin George Capehart (Oct 29)
    - Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Valdis . Kletnieks (Oct 29)
- <Possible follow-ups>
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Andrew Clover (Oct 29)