1997-03-04 - RE: It is time to break Authenticode
Header Data
From: “John Lehmann (SSASyd)” <LEHMANNJ@saatchi.com.au>
To: “‘cypherpunks@toad.com>
Message Hash: 759a479e4302a97cc27f2002a93dbe06bd2c7fe5cdba077a579ac3b40f7953b6
Message ID: <331BEF9B@smtp.saatchi.com.au>
Reply To: N/A
UTC Datetime: 1997-03-04 08:35:16 UTC
Raw Date: Tue, 4 Mar 1997 00:35:16 -0800 (PST)
Raw message
From: "John Lehmann (SSASyd)" <LEHMANNJ@saatchi.com.au>
Date: Tue, 4 Mar 1997 00:35:16 -0800 (PST)
To: "'cypherpunks@toad.com>
Subject: RE: It is time to break Authenticode
Message-ID: <331BEF9B@smtp.saatchi.com.au>
MIME-Version: 1.0
Content-Type: text/plain
> Microsoft's recent arrogant and irresponsible reply to the Chaos
> Computer Club hack on ActiveX requires response. An effective response
> would be to steal the key of a major code signer and produce a signed,
> malicious ActiveX control. Such an attack would demonstrate the
> serious problems of Microsoft's security philosophy.
>
> ...
>
> The best avenue of attack is stealing the secret key of a respected
> code signer. The target should be one of the major players, if not
> Microsoft itself. Someone is sloppy to store their secret key on a
It really should be Microsoft, for good exposure.
> getting signatures right is well understood. Still, does anyone have
> information on exactly how the signatures work?
http://www.microsoft.com/kb/articles/q159/8/93.htm
>
> Stealing the key itself will almost certainly be an illegal act.
> Morally, the demonstration signed control should itself not do damage.
> Something like the Exploder control (which warns the user before
> shutting down the machine) should be good enough to show the flaws of
> ActiveX without causing trouble.
The most interesting abuse the ActiveX thet I've heard of was a company
that released an ActiveX control that modified the security manager used
to verify and pass ActiveX controls, essentially registerring their
company as a trusted provider. Thus once this one control was accepted,
all other controls signed by that company were automatically accepted by
the browser.
The company quickly retracted the control and claimed that the
authentication abuse was a feature put in while the control was in
beta-cycle and accidently left in when it was finally released. Oops!
(This was reported on the www-security mailing list, but I have lost the
ref)
Perhaps an interesting "nudie screensaver" control could be made to mail
any Root.cer Cert.cer and Cert.spc (I guess) files lying around on the
target computer to a well known mailing-list...
One wonders whether it would even be illegal. *sigh* I suppose it would
be.
--
JJL
Thread
Return to March 1997
- Return to ““Cynthia H. Brown” <cynthb@sonetis.com>”
Return to ““John Lehmann (SSASyd)” <LEHMANNJ@saatchi.com.au>”
- 1997-03-04 (Tue, 4 Mar 1997 00:35:16 -0800 (PST)) - RE: It is time to break Authenticode - “John Lehmann (SSASyd)” <LEHMANNJ@saatchi.com.au>
- 1997-03-04 (Tue, 4 Mar 1997 12:40:49 -0800 (PST)) - RE: It is time to break Authenticode - “Cynthia H. Brown” <cynthb@sonetis.com>