Aren't you over-exagerating? The fact that the trojan was discovered almost imediately due to the MD5 checksum checks and did not spread at all (to other operating systems that do use OpenSSH source like any major Linux distributions). Impact of this issue is not even close to the one the TCP-wrappers' trojan [0] had quite some time ago and even then also MD5sums helped detect (and eliminate) it.

The person who discovered the trojan [1] was warned thanks to the checksum mismatch.

Granted, software (and package) signatures are still an issue for many operating systems [2] but it something that has to be done properly.

Still, in any case, free software is cathing up many other propietary operating systems. For example, Solaris might
provide signed patches releases [3]
but it uses an internal CA (SUNWcert) and special patch management tools. But what about the operating system itself (the packages)? Fact is, there doesn't seem to be either a tool in the base operating system [4] to check digital signatures nor are packages signed. Windows XP [5] installer also uses digital signatures (but they also have had problems with them :-) [6]


[0] http://www.cert.org/advisories/CA-1999-01.html
[1] http://www.mavetju.org/weblog/weblog.php
[2] see:
http://www.debian.org/doc/manuals/securing-debian-howto/ch7.
en.html
http://www.seifried.org/security/articles/20011023-devil-in-
details.html
http://www.rpm.org/max-rpm/s1-rpm-pgp-signing-packages.html
[3] http://sunsolve.sun.com/patches/spfaq.html
[4] http://wwws.sun.com/software/solaris/solaris9_features_secur
ity.html
[5] http://msdn.microsoft.com/library/default.asp?url=/library/e
n-us/msi/over_6boy.asp
[6] http://www.itworld.com/Sec/4039/IW010322hnmicroversign/
http://www.microsoft.com/windows2000/downloads/recommended/q
253341/default.asp

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/101/16096#16096