[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] trust? - win2k source code tools

To: "'morning_wood'" <se_cur_ity@hotmail.com>, <full-disclosure@lists.netsys.com>
Subject: RE: [Full-Disclosure] trust? - win2k source code tools
From: "Mike Fratto" <mfratto@nwc.com>
Date: Tue, 17 Feb 2004 13:46:35 -0500


> NOW EVERY EXECUTABLE IS TRUSTED AND DIGITALY SIGNED
> 
> found this interesting... 
> \win2k\private\inet\mshtml\build\scripts\tools\x86
> 
> iexpress.exe 
> signcode.exe
> makecert.exe ( DigSig.dll )
> 
> ( in fast food voice ) and who would you like your package to 
> be certified from today sir? 
> \win2k\private\ispu\pkitrust\initpki\certs\

Nah, unless the private keys were in the directory, all you have are tools
to sign a binary. Big deal. The signatures aren't "trusted" until the target
has the certificate with the corresponding public key in the localkey store.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] trust? - win2k source code tools
  - From: "morning_wood" <se_cur_ity@hotmail.com>

Prev by Date: Re: [Full-Disclosure] ASN.1 telephony critical infrastructure warning - VOIP
Next by Date: [Full-Disclosure] Re: W2K source "leaked"?
Previous by thread: RE: [Full-Disclosure] trust? - win2k source code tools
Next by thread: RE: [Full-Disclosure] trust? - win2k source code tools
Index(es):
- Date
- Thread