David B Teague wrote:
Lisi Reisz wrote:
On Saturday 02 August 2008 17:49:40 David B Teague wrote:
This is a very brief summary from this web site
http://blogs.pcmag.com/securitywatch/2008/07/evilgrade_exploit_toolkit_atta
.php
The article says the EvilGrade Exploit tool kit is able to attack
systems using the "man in the middle", attacking through the
installation mechanism.
It actually says "updates" not installation (my stars):
<quote>
infecting systems through the **update** mechanism, according to a
ZDNet blog. The attackers claim, in the Readme for the kit, to have
modules implemented to attack the following product **updates**
</quote>
The attacker specifically mentions OO.o in the kit "ReadMe".
No, it says:"OpenOffices"
This is not the correct name of this program (or site) and OOo does
not have updates as such.
I doubt they have achieved what they claim, tho' that doesn't mean
that we can all be complacent.
OK, they committed a spelling error, but if they HAVE compromised
OpenOffice.org as I think they are suggesting, the spelling error in
their "ReadMe" will not make any difference at all. We will have given
them access to our systems through the installer.
I do not pretend to understand all this, but I do understand the idea
of threat. At present, to update OO.o, I download a Windows
installation file, and run it. I don't see any mechanism for signature
or do I see easy access to checksums.
I assure you in the future, I will be looking for checksums. I would
prefer have digital signatures for installation files. If checksums
will assure me no one has fiddled with the installer, I'll gladly go
through the process of confirming check sums.
Now, would someone answer my questions?
Is Lisi is right, there is no danger because of the difference between
"updates" and "installers"?
Is there any intent to introduce digital signatures?
Do checksums do the same thing as digital signatures?
David Teague
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
As far as checksums go I believe the move is to sha1sum in place of
md5sum (that 's the number one in sha1sum). The explanation that I got
was that the process of generating md5sum has been cracked and therfore
allowing someone to "forge" a md5sum generated checksum. Making sha1sum
a more secure method. This is what I found on the Fedora site back on
FC7 or FC6 they discontinued using md5sum.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
