[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: It is time to break Authenticode




> Microsoft's recent arrogant and irresponsible reply to the Chaos
> Computer Club hack on ActiveX requires response. An effective response
> would be to steal the key of a major code signer and produce a signed,
> malicious ActiveX control. Such an attack would demonstrate the
> serious problems of Microsoft's security philosophy.
>
> ...
>
> The best avenue of attack is stealing the secret key of a respected
> code signer. The target should be one of the major players, if not
> Microsoft itself. Someone is sloppy to store their secret key on a

It really should be Microsoft, for good exposure.

> getting signatures right is well understood. Still, does anyone have
> information on exactly how the signatures work?

http://www.microsoft.com/kb/articles/q159/8/93.htm

>
> Stealing the key itself will almost certainly be an illegal act.
> Morally, the demonstration signed control should itself not do damage.
> Something like the Exploder control (which warns the user before
> shutting down the machine) should be good enough to show the flaws of
> ActiveX without causing trouble.

The most interesting abuse the ActiveX thet I've heard of was a company   
that released an ActiveX control that modified the security manager used   
to verify and pass ActiveX controls, essentially registerring their   
company as a trusted provider.  Thus once this one control was accepted,   
all other controls signed by that company were automatically accepted by   
the browser.

The company quickly retracted the control and claimed that the   
authentication abuse was a feature put in while the control was in   
beta-cycle and accidently left in when it was finally released.  Oops!   
(This was reported on the www-security mailing list, but I have lost the   
ref)

Perhaps an interesting "nudie screensaver" control could be made to mail   
any Root.cer Cert.cer and Cert.spc (I guess) files lying around on the   
target computer to a well known mailing-list...

One wonders whether it would even be illegal. *sigh* I suppose it would   
be.

 --
JJL