how-to block ads
|
|
Uniqs:
26848 |
Share Topic
 |
 |
|
|
|
| reply to eburger68
Re: WMP Adware: A Case Study in Deception Three comments:
1. The digital signing of a software component (be it an application, plugin, active-x control, or whatever) doesn't guarantee that its safe to use, it merely guarantees that it hasn't been altered by some hacker. That is, if a hacker gets a legit program, alters it into malware, then releases it to the web still in the guise of the original legit program, the malware version of the program won't match the legit program's digital sig (and indeed, the malware won't be signed at all in this case). A side benefit of digital signing is that most hackers won't bother to digitally sign their malware, whether it's an altered version of legit software or an original creation.
2. There is a call for Microsoft to "patch" this "loophole" by eliminating the ability for a media file to launch a web page. Well, the WM spec has always allowed for three streams: video, audio, and scripting. The scriptting stream allows (among other things) the media file to contain instructions to launch a particular URL when a particular point in the audio/video stream is reached when being played (QuickTime (and Real, I believe) also has this ability). And there is useful functionality that this allows. Simply doing away with this in order to patch this "loophole" is just more of the "we must cripple useful functionality because it might prove unsafe" mindset that speaks of people running scared. Patching things simply by killing functionality provides a victory to the hackers. Aren't you guys tired of running scared all the time?
3. There is a call for Microsoft to "patch" this "loophole" by reimplementing the DRM mechanism by not displaying any web page or whatever. Well, frakly, most of the comments here regarding the DRM license-fetching mechanism are actually just rabid anti-DRM comments rather than comments about this particular "loophole", and I don't put much weight into these comments. Same goes for the comments that are little more than Microsoft-bashing. | |
 rogue_I Have A Secret WindowPremium
join:2001-10-17
Lake Hiawatha, NJ | said by b dalton:
Three comments:
1. The digital signing of a software component (be it an application, plugin, active-x control, or whatever) doesn't guarantee that its safe to use, it merely guarantees that it hasn't been altered by some hacker. That is, if a hacker gets a legit program, alters it into malware, then releases it to the web still in the guise of the original legit program, the malware version of the program won't match the legit program's digital sig (and indeed, the malware won't be signed at all in this case). A side benefit of digital signing is that most hackers won't bother to digitally sign their malware, whether it's an altered version of legit software or an original creation.
It would seem logical to me that the 'hacker' would consider hacking the signature as well if it meant the difference between a hack that worked and one that did not.
--
Bozone (n.): The substance surrounding stupid people that stops bright ideas from penetrating. | | |
|
|
