[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] Skype Debian package: allows complete machine takeover for Microsoft
From: Seth Arnold <seth.arnold () canonical ! com>
Date: 2018-09-28 18:18:25
Message-ID: 20180928181825.GA20526 () hunt
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Tue, Sep 25, 2018 at 07:04:18PM +0200, Enrico Weigelt, metux IT consult wrote:
> Operator's workaround:
> [..]
> c) use apt pinning to restrict the Microsoft repo to only the
> package 'skypeforlinux'
Please note that the Debian package pre/post inst/rm scripts run with
full root privileges without any constraints on what they can do.
If your threat model includes either a disclosure of Microsoft's APT
repository signing key or malicious use of this key by Microsoft then
this workaround does not address these threats.
Thanks
["signature.asc" (application/pgp-signature)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic