On Wed, Apr 27, 2011 at 11:51 AM, Richard Pieri <[email protected]> wrote: > On Apr 27, 2011, at 9:50 AM, Edward Ned Harvey wrote: >> >> Difficult, but certainly not impossible if verification is disabled. > > Unless there is something that I am missing, an attack of this sort is simple > in an environment with automated updates. Take a Debian system using > cron-apt to install security updates. I can identify what is currently > installed with 'dpkg -l'. From this and a mirror copy I can identify what > will be installed during the next update. Determining the update schedule is > as simple as looking at /etc/crontab. By default, anacron on Debian runs the > cron.daily scripts at 6:25 AM. So, with less than 2 minutes work I know what > and when. Now I can pick an executable that I know will be (re)started as > root, and there are plenty to choose from. Let's say apachectl. > > The only difficulty is working up an exploit with a matching hash before 6:25 > AM tomorrow.
If you are monitoring bug fix channels and can replicate the build environment, you MIGHT get a larger window. Don't forget to use Amazon's EC2 to do the heavy lifting as well. Bill Bogstad _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
