[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Recent claims that windows update is broken
- To: Dan Kaminsky <dan@xxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Recent claims that windows update is broken
- From: Georgi Guninski <guninski@xxxxxxxxxxxx>
- Date: Sat, 10 Sep 2011 10:05:37 +0300
On Fri, Sep 09, 2011 at 03:09:25PM -0700, Dan Kaminsky wrote:
> On Thu, Sep 8, 2011 at 2:55 AM, Georgi Guninski <guninski@xxxxxxxxxxxx>wrote:
>
> > http://www.theregister.co.uk/2011/09/07/diginotar_hacker_proof/
> > "I'm able to issue windows update," he [Comodohacker] wrote. "Microsoft's
> > statement about Windows Update and that I can't issue such update is totally
> > false!"
> >
> > The original Comodohacker statement is at: http://pastebin.com/85WV10EL
> >
> > Is this true?
> >
>
> For the record, no. Windows Update doesn't just depend on WinVerifyTrust,
> it also calls CertVerifyCertificateChainPolicy with
> the CERT_CHAIN_POLICY_MICROSOFT_ROOT flag, documented here:
>
> http://msdn.microsoft.com/en-us/library/aa377163(v=vs.85).aspx
>
>
>
By your logic there would be no exploits just because the documentation writes
so.
I bothered to ask mainly for these reasons:
1. It is unclear to me what collection of private keys/certs Comodohacker has
2. From thereg article:
>Microsoft declined to comment.
--
georgi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/