Story 2014-10-12

HP accidentally signed malware, will revoke certificate

by
Anonymous Coward
in security on (#2T7T)
Hewlett-Packard has alerted some customers that it will be revoking a digital certificate used to sign a huge swath of software-including hardware drivers and other software essential to running on older HP computers. The certificate is being revoked because the company learned it had been used to digitally sign malware that had infected a developer's PC.
Wahlin said that it appears the malware, which had infected an HP employee's computer, accidentally got digitally signed as part of a separate software package-and then sent a signed copy of itself back to its point of origin. Though the malware has since been distributed over the Internet while bearing HP's certificate, Wahlin noted that the Trojan was never shipped to HP customers as part of the software package.

"When people hear this, many will automatically assume we had some sort of compromise within our code signing infrastructure, and that is not the case," Wahlin told Krebs. "We can show that we've never had a breach on our [certificate authority] and that our code-signing infrastructure is 100 percent intact."

Windows shell vulnerability requires nothing more than forgotten quotes

by
Anonymous Coward
in security on (#2T7S)
Windows SysAdmins: before you laugh yourself to sleep over all those Linux systems struggling to patch Shellshock vulnerabilities, a recently discovered flaw in Windows Powershell allows similar privilege escalation with very little work. The recently discovered vulnerability relies upon:
a simple coding error-allowing untrusted input to be run as a command. In the current incarnation of the exploit, an attacker appends a valid command onto the end of the name of a directory using the ampersand character. A script with the coding error then reads the input and executes the command with administrator rights.
Seems if mankind can make it, mankind can also break it. Keep those systems patched, folks!