The way operating system vendors issue security patches is insecure, in many cases, and could let crackers exploit this to trick users into loading trojan horses onto their systems. Security firm BindView, whose Razor team of security researchers . . .

The way operating system vendors issue security patches is insecure, in many cases, and could let crackers exploit this to trick users into loading trojan horses onto their systems. Security firm BindView, whose Razor team of security researchers completed the research, questioned 27 different vendors of commonly used products on whether patches are accompanied by digital signatures or other forms of cryptographic authentication. Its findings, available in full here, are a real eye-opener because they highlight glaring security gaps, not least that a minority of vendors, including Apple and Compaq, provide no authentication for their patches.

"A number of the vendors (including some Fortune 500 companies) do not offer patch authentication via any cryptographic method. This can make it very difficult for customers to verify that they have obtained a correct patch rather than a trojan horse," said Matt Power, of BindView's Razor security team.

The link for this article located at The Register is no longer available.

The link for this article located at The Register is no longer available.