[wpkg-users] security issues

Jerome Haltom wasabi at larvalstage.net
Tue Jun 5 05:06:19 CEST 2007


Yup. You'll need to ensure that the proper security is enabled on your
domain. You should do this anyways.

There are various settings in Group Policy for requiring signing or
encryption between machines. And there are various settings to DNS to
require signing of records (DNSSEC). As usual, disable insecure
mechanisms like NetBIOS.

You can harden machines like this. Admittedly, most people probably
don't.

On Tue, 2007-06-05 at 12:47 +1000, Brian May wrote:
> Hello,
> 
> Has anybody considered security issues with wpkg?
> 
> As far as I can tell, wpkg requires the local network to be
> trusted. If it cannot be trusted, and the server goes off-line, then
> anybody could set up a fraudulent server with the same name, which
> serves a fraudulent copy of wpkg.js that does malicious things.
> 
> As wpkg.js runs, automatically, as the system user on every Windows
> computer, this would be an easy way to bring all Windows computers in
> a company down.
> 
> I conducted some tests using domain level security, but found I
> domains do not prevent this type of attack.
> 
> Any thoughts?
> 
> Thanks.



wpkg-users mailing list
wpkg-users at lists.wpkg.org
http://lists.wpkg.org/mailman/listinfo/wpkg-users



More information about the wpkg-users mailing list