On Fri, 23 Mar 2001, Bob Bell wrote:
> On Fri, Mar 23, 2001 at 08:26:38AM -0500, Taylor, Chris <[EMAIL PROTECTED]> wrote:
> > Just for those of you who have not seen the bulletin, there is yet another
> > reason to look towards Linux.
>
> My understanding is that this has nothing to do with Microsoft
> Windows. This will likely only affect you if you go to a website, and
> your web browser ask you if you want to accept a certificate. Since it
> says "signed by Microsoft Corporation", you might be more inclined to
> say "yes". However, here the certificate actually belongs to a
> third-party, and could conceivably be signing malicious code.
Well, no. It's certainly not MS's "fault", per-se, but it certainly can
affect Windows users: frequently (especially with newer Windows versions),
you are informed that a given software package is either not signed by a
trusted authority (and defaults to not installing it), or that it *is*
signed by a trusted authority, and defaults to installing. So, as the
CERT report said, even a reasonably technologically proficient end-user
could be fooled and install software that they thought was trusted.
Here's a quote from the MS page:
"The certificates could be used to sign programs, ActiveX controls, Office
macros, and other executable content. Of these, signed ActiveX controls
and Office macros would pose the greatest risk, because the attack
scenarios involving them would be the most straightforward. Both ActiveX
controls and Word documents can be delivered via either web pages or HTML
mails. ActiveX controls can be automatically invoked via script, and Word
documents can be automatically opened via script unless the user has
applied the Office Document Open Confirmation Tool."
Bottom line: ouch.
-Ken
>
> This is not related to MS Windows. The error here was made by
> VeriSign, not Microsoft, who was tricked into believing that the
> individual who registered the certificate was an authorized Microsoft
> employees. The only thing that one could possibly blame Microsoft for
> is that Internet Explorer doesn't automatically check to see if a
> certificate has been revoked by VeriSign. However, I'm not sure if any
> other browsers do, either. It may also be true that these certificates
> are limited to ActiveX controls, but they just as well could have been
> issued for other purposes.
>
> --
> Bob Bell <[EMAIL PROTECTED]>
> -------------------------------------------------------------------------
> "Parentheses in Perl are like shoes in the Caribbean."
> -- Larry Wall, creator of the Perl programming language
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
>
>
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
