[19939] in bugtraq
Re: Microsoft Security Bulletin MS01-018 -- BAD SIGNATURE?
daemon@ATHENA.MIT.EDU (Eric)
Fri Mar 30 04:32:25 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-ID: <4.3.2.7.1.20010328195513.02574ca0@216.182.1.1>
Date: Wed, 28 Mar 2001 20:06:12 -0800
Reply-To: Eric <ews@TELLURIAN.NET>
From: Eric <ews@TELLURIAN.NET>
X-To: Caskey <caskey@TECHNOCAGE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10103280601270.30334-100000@vaio.factory.tci >
There are times when the LSoft Listserver software interferes with the
signature signing process, so even though the signature may check as valid
when the email is being approved, the email is not valid when it's shipped
from the LSoft server. This is not the first Microsoft Bulletin to suffer
from this problem, but will hopefully be one of the last. (I understand
procedures are underway to correct this annoying bug)
If you question the validity of any Security Bulletin, you can always read
the entire issue on the website
(http://www.microsoft.com/technet/security/current.asp). The email about
the bulletin is only to serve as a heads up that there is a security
bulletin on the website and you should read it there. Microsoft
experimented with sending a stripped down email that simply stated the
Bulletin Title with a link to the bulletin on the website, but that
experiment went over as well as a Multi-Colored Bomb Pop on a ccold winter
day (the kind you get from the ice cream truck).
Should the Microsoft web site and security bulletins ever be compromised
and modified, I'm sure that this event will not pass quietly. If you're
still paranoid, you can read the KB article which is stored in a different
location, which would also have to be modified by the person who modified
the bulletin.
Regarding the hotfix package itself... every security hotfix is signed by
Microsoft, and the signature can be verified using the sigverif.exe command
line tool (available on Win2K and maybe others).
Oh, and yes, MS01-018 is a legitimate advisory.
--eric
At 06:34 AM 3/28/2001 -0800, Caskey wrote:
>On Mar 27, Microsoft Product Security quoth:
>
> > Title: Visual Studio VB-TSQL Object Contains Unchecked Buffer
>
>I have been unable to verify the signature on this advisory as broadcast
>to the bugtraq list no matter how I try. Just to be sure I didn't
>suddenly start doing things different, I went back and re-verified all the
>other Microsoft advisories for the month of March in the exact same manner
>and they all checked out.
><snip>
>
>C=)
>
>--------------------------------------------------------------------------
>If you want to build a ship, don't drum up people together to collect wood
> and don't assign them tasks and work, but rather teach them to long for
> the endless immensity of the sea. -- Antoine de Saint Exupery
>--------------------------------------------------------------------------
>Caskey <caskey*technocage.com> /// TechnoCage Inc.
>--------------------------------------------------------------------------
> It's not an optical illusion, it just looks like one. -- Phil White
