Announcement

**PaulW2U** · Jul 19, 2013, 02:51 PM

I downloaded those updates for Kubuntu 13.04 without problem from the GB mirror. If you want to be sure that you're updating from a trusted source I would change the mirror site you download your updates from. It may just be a temporary problem affecting your current mirror.

**jalomann** · Jul 20, 2013, 12:15 AM

The reason why I want to point this out is that this is actually my worst nightmare and the reason why I use Linux. I think everybody read how Microsoft automatic updates were cracked and I don't want to see this happening in Linux. Your system for sure runs but with open back door.

jalomann
twitter.com/jalomann

**SteveRiley** · Jul 21, 2013, 07:49 PM

Originally posted by jalomann View Post

Microsoft automatic updates were cracked

Do you have a source for this claim? Microsoft updates are digitally signed using a private key issued by internal CA that has no Internet access. Signed updates are subsequently staged to servers around the world for distribution. Windows validates the digital signature using an internally-stored public key that corresponds to the signing key. Only if an update hasn't been tampered with will it be installed.

**sithlord48** · Jul 23, 2013, 01:53 PM

there is a repo that you maybe added without the repo key so the packages can not be varifed as untampered

**jalomann** · Jul 24, 2013, 12:45 AM

Originally posted by SteveRiley View Post

Do you have a source for this claim?

Sure. It was a big mess about one year ago. I found these with quick google search.

http://arstechnica.com/security/2012...lame-pki-hack/

Chris Soghoian explains the consequences when automatic updates are compromised:

http://threatpost.com/chris-soghoian...r-061412/76690

Governmental spywares use the same mechanism, usually Adobe Flash update.

**jalomann** · Jul 24, 2013, 12:49 AM

Originally posted by sithlord48 View Post

there is a repo that you maybe added without the repo key so the packages can not be varifed as untampered

No. I didn't add any repos. I checked though /etc/apt.conf if there is something unusual. This has something to do with the keys and thats why I find it critical.

**SteveRiley** · Jul 24, 2013, 08:36 AM

Originally posted by jalomann View Post

Sure. It was a big mess about one year ago. I found these with quick google search.

http://arstechnica.com/security/2012...lame-pki-hack/

Ah, Flame. The most succinct explanation of how Flame exploited a poorly-formed certificate is at Wikipedia:

Flame was signed with a fraudulent certificate purportedly from the Microsoft Enforced Licensing Intermediate PCA certificate authority. The malware authors identified a Microsoft Terminal Server Licensing Service certificate that inadvertently was enabled for code signing and that still used the weak MD5 hashing algorithm, then produced a counterfeit copy of the certificate that they used to sign some components of the malware to make them appear to have originated from Microsoft. A successful collision attack against a certificate was previously demonstrated in 2008, but Flame implemented a new variation of the chosen-prefix collision attack.

Not so much an attack targeted at Microsoft Updates as an attack that exploits weaknesses in PKI. I wouldn't say this "cracked" Microsoft Updates. But it did allow a brief period of successful impersonation to occur.

Announcement

Unverified software update

Unverified software update

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Users Viewing This Topic