25 Jul
2008
25 Jul
'08
8:45 a.m.
[Juan]
- Wine doesn't actually verify that the signature in the file
matches the file being checked. Any valid certificate could be put into a file, and Wine would accept it.
I don't consider this a serious security flaw
I assume you don't ship signed software. If you did, you might see things differently. Unless I've misunderstood, you've made this possible:
1. I release my software with my digital signature attached
2. A malware author downloads my software, extracts my certificate, and applies it to his malware
3. His software infects a user's machine and damages it. The user discovers the infection, looks at the signature, **Wine says that the certificate is valid**, and the user blames me.
Please, either tell me I'm wrong, or make Wine honest about what it's telling the user.
--
Richie Hindle (rjh@cyberscience.com)
Senior Software Engineer, Cyberscience Corporation
http://www.cyberscience.com/
Cyberscience User Forum 2008
Two full days of presentations and workshops to help you get more from Cyberquery
September 17-18 | Denver, Colorado | Denver Marriott Tech Center
Register at: http://www.cyberscience.com/forum-conference.html
Make your voice heard; complete the BI Survey 8 by Forum 2008 keynote
speaker Nigel Pendse: http://www.intelligence-partners.com/