[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Study: Attacks on package managers (inclusing apt)

Michael Stone <mstone@debian.org> writes:

> On Fri, Jul 18, 2008 at 01:17:43PM +0200, Goswin von Brederlow wrote:
>>Or just one DNS server or even just the users client.
> You'd also have to keep the DNS server wrong. Doing this in a manner
> that people don't notice is (IMO) hard, because people do go looking
> for particular security updates. And if the client is already
> compromised, who cares about whether the update mechanism has
> theoretical issues?
> Mike Stone

See the latest DNS vulnerability about how you can compromise a clients
DNS without having to hack a DNS server.

Only way people notice a spoofed dns reply is when they saw a security
update being announced and apt-get won't get it. Not everybody does,
some people just run apt get and trust it to work.


Reply to: