Full Disclosure mailing list archives
Re: Skype Debian package: allows complete machine takeover for Microsoft
From: Seth Arnold <seth.arnold () canonical com>
Date: Fri, 28 Sep 2018 11:18:25 -0700
On Tue, Sep 25, 2018 at 07:04:18PM +0200, Enrico Weigelt, metux IT consult wrote:
Operator's workaround: [..] c) use apt pinning to restrict the Microsoft repo to only the package 'skypeforlinux'
Please note that the Debian package pre/post inst/rm scripts run with full root privileges without any constraints on what they can do. If your threat model includes either a disclosure of Microsoft's APT repository signing key or malicious use of this key by Microsoft then this workaround does not address these threats. Thanks
Attachment:
signature.asc
Description:
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: Skype Debian package: allows complete machine takeover for Microsoft Seth Arnold (Oct 02)
- Re: Skype Debian package: allows complete machine takeover for Microsoft Michael Lazin (Oct 05)
- Re: Skype Debian package: allows complete machine takeover for Microsoft coderaptor (Oct 16)
- Re: Skype Debian package: allows complete machine takeover for Microsoft Michael Lazin (Oct 05)