Sounds familiar. It's been long enough that I don't remember specifics off the top of my head, though.

Exactly... As long as you can sign them, the OS (or, more specifically in this case, ActiveX control) will assume they're good and install them.

How about this as a hypothetical situation: France does not permit encryption for civilian use. Assuming that Windows Update operates without encryption on French-language versions of Windows (which must suck if you live in, say, Senegal or Canada), someone does a pcap of a WU session on a French release, and compares it to one of the US English release. Taking the two streams side-by-side would be useful in understanding the encryption of the US version, if not others.

(Note: It's probably safe to assume that Microsoft has dispensation from the French government to allow crypto in Windows Update; if they didn't, someone would almost certainly have done this by now. But this is entriely hypothetical, after all.)

What to do with the presumably-cleartext stream from the French version should be pretty straightforward: locate the keys used to sign the package and extract them, then figure out how to forge a signature well enough that it passes through the WU ActiveX control and allows a package to be installed. Granted, this is easier said than done but does demonstrate that the basic principles behind installing bogus updates aren't reaching into the realms of science fiction.

Also, I believe that WU stores the IP address (not DNS name) of the WU server it should contact first in the ActiveX control in an encrypted format. Replace that (see: another mass-mailing worm) and there's a lot of potential for huge damage.

Am I remembering incorrectly, or didn't windows update get nailed by Code Red because they hadn't patched it?

I don't think you are wildly speculating at all, since by that same token, any patch bearing website could be owned and you could DL trojaned patches/updates.

OK, fair point. But what happens when someone eventually understands the mechanism by which Windows Update does operate, and exploits that to push malicious code down to n thousand machines? Granted, this is a speculative scenario, but not wildly so.

Corrections aside, just 2 quick points to make.

I'm sure Microsoft doesn't allow their programmers whimsical access to publishing.

Every software development company has an indemnification of damages in their EULA.

Yes, I tend to do that when doing tequila shots and posting - I'm currently going over anything I posted on last night and making sure that things are ok, and I didn't make an ass of myself further.


Quirk-

I think you are referring to Automatic Update. Windows Update is the one where you "manually" go to their site and choose the updates/patches you want.

Windowsupdate? I'd have to say.... no... especially if you are foolish enough to tell it to always trust microsoft content(Major security risk, trusting a software company with rogue coders that hate their job, and don't know how to bug hunt or use Purify). If you've read the things about Microsoft update in depth, they can send you anything, force you to install it, and if it happens to wipe out your drive... surprise, it's not their fault nor will it stand up in a court of law. If you want patches, I would recommend manual update from their site, going only after what you need which is still more than likely questionable at best - but it's Microsoft...

Quirk-

Everyone seems to have their own opinion to your broad and general question, but I'll just chip my 2 cents in...

The first thing you want to do when you are concerned about your security, is to disable all your services, and then go back and turn on the things you need to perform whatever functions that computer is to perform and then update and patch everything that is running to the latest build.

Useful tools like pkg_update or windowsupdate are useful for keeping your core system current, however this will never protect you against tomorrow's exploits.

I cannot emphasize enough how important it is to understand completely how your firewall works before deploying it and assuming your safety. Compromising a "firewalled" system is a cinch if the system is too promiscious with permissive rules. A firewall is intended to be strict, keep it that way. Remembering to keep every user workstations out of your DMZ. I've seen many kiddies who can't figure out how to get the Instant Messenger or DCC to work on IRC and instead of working out the correct firewall rules, instead place their own workstation in their DMZ.

In summary, disable services, keep your system up to date, behind your firewall, and pull the belt as tight as you can. You don't want your pants falling off your ass like another dumb wigger.

Redhat 8.0 as server? do you have custom/modified kernel? did you do all the basic checks for some misconfigurations within redhat itself? First 2 things I would do if you not have done so already... find / -type f -perm -04000 -ls and get the list of SUID files and find / -type f -perm -02000 -ls to get the list of SGID files...if you're new to *nix, the list may appear foreign but in the stock release of 8.0 there are world writable files that shouldn't be. An old but good example is the issue with S99local, which is having /etc/rc.d/rc3.d/S99local as a world-writeable startup script... extremely dangerous, and you're giving away root with minimal difficulty. When the system is started, its executed with root and attackers could create a SUID shell the next time the system is restarted. With a small string I wont post here for obvious reasons, it very well could create a SUID shell in /tmp, in addition it'll make /home/public world writeable, thus attackers can overwrite any file in the directory with the mv command. 2 minutes to game over for one of the most overlooked holes if you're not careful.

Qu|rk

well i always have nessus on my box, and always update the plugins and scan on a regular basis , i run freeebsd tho not linux, as far as mail and anti virus solutions, we have all that filtered out with spam assasin, and we filter out virii

hope that helps.

spyware..

depreschn, i dont know if anyone answered your question on spyware..You mite want to check some of these links out for your xp system;

http://www.lavasoftusa.com/software/adaware/

http://www.spybot-search.com/

Havn't tried this, but found it through my travels
http://www.spykiller.com/index4.asp?ref=2400
I hope this was some help
Goodluck

Why would there be limited opportunities in Slovenia? I was in Croatia and Bosnia in 1997 doing sysadmin work and I could still be there today if I wanted. Take a year of computer school then search out Verizon or Brown & Root, both of whom are always hiring in the areas. I would have stayed but my girlfriend back in the states would have killed me. :>

Tnx.. Very nice of you..

Listen, I'm not big on holding hands, but I will be nice and do it this time.

Start Here and Read the Thread:

http://forum.defcon.org/showthread.php?t=1847

People like Astcell and 0versight actually give some good information in there.

If you need ruther information use the SEARCH function.

This is the last time I will indulge you with hand holding.

I did go trough that links and haveb't noticed it. Sorry i'll look again. Tnx