-
March 10th, 2009, 11:41 PM
#1
Microsoft March Security Bulletins
Hi All,
As usual the Microsoft Security Bulletins have been released, nothing new here but I wanted to draw your attention to MS09-007
March advisories - http://www.microsoft.com/technet/sec.../ms09-mar.mspx
MS09-007 - http://www.microsoft.com/technet/sec.../MS09-007.mspx
<Quote>A spoofing vulnerability exists in the Microsoft Windows SChannel authentication component when using certificate based authentication. An attacker who successfully exploited this vulnerability would be able to authenticate to a server using only an authorized user’s digital certificate and without the associated private key.</Quote>
Ummm, doesn't this defeat the whole purpose of certificate based authentication, so now if I am using "strong" certificate based authentication on Microsoft Windows (without the process and certificates being integrated with AD as this channel is supposedly not vulnerable) then if some user in my domain exploited this vulnerability they could represent themselves as any other user if you assume that public keys are in fact public, like they are supposed to be. Doesn't this render the certificate based authentication at least as weak, and probably weaker, then password based authentication.......
This has only been rated as "Important" by Microsoft!!!
ISC/SANS have rated it critical, I would have thought that for those using this technology then that is appropriate.
Similar Threads
-
By SDK in forum Miscellaneous Security Discussions
Replies: 0
Last Post: December 1st, 2004, 12:45 AM
-
By Dr_Evil in forum Miscellaneous Security Discussions
Replies: 26
Last Post: November 3rd, 2003, 02:52 PM
-
By warl0ck7 in forum Microsoft Security Discussions
Replies: 7
Last Post: August 14th, 2003, 12:23 PM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 0
Last Post: September 25th, 2002, 08:53 PM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 0
Last Post: July 31st, 2002, 09:35 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|