Related to "The incredible fraglility of Internet Security" , which Borepatch posted yesterday, I find this:
"Comodohacker: I Can Issue Fake Windows Updates"
Of course the
"Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers," Microsoft engineer Jonathan Ness wrote in the blog. "The Windows Update client will only install binary payloads signed by the actual Microsoft root CA certificate, which is issued and secured by Microsoft. Also, Windows Update itself is not at risk, even to an attacker with a fraudulent certificate."Way to go guys. A statement like that is like crak to a hacker.
I bet that's a challenge that will be taken up in short order.
So after reading that article, my brain starts to veer its way to an infinite loop, preceded by the thought that perhaps I should turn automatic updates off until I find more about this. Fortunately I managed to execute the Taskill command in my brain and didn't overheat the processor.
Welcome to the Asylum, or perhaps it's Hell.
Interesting statement by Ness. Notice that he did not deny that a Man-IN-The-Middle situation couldn't cuase fake Windows Updates to be installed.
ReplyDeleteThe wording was actually very, very smooth.
And remember, it's the most secure Windows ever!
In their defense, kernel.org and linux.org have also been hacked. It's not at all clear that kernel.org can establish authenticity of their downloads. Sigh.