Binary supply-chain attacks are not “minor security issues”.
Yes they are. The binaries for Ventoy aren’t even updated from release to release. It’s not even evident how old they are. So crying about an attack that only matters if these binaries are bleeding edge is absolutely a minor issue. I don’t even understand how someone of sound mind and body could possibly believe otherwise.
Not having a security first posture on these kinds of attacks is how the xz event happened
No one is making the argument that security doesn’t matter. No one is pushing the idea that Ventoy is secure. I’m saying singularly and only that a supply chain attack is just about the dumbest goddamn angle possible to bitch about Ventoy because I could argue that Ventoy would be more vulnerable than it is now to a supply chain attack if the binary blobs are built and updated every time you build a bootable drive. It’s just a truly fucking insane argument that shows a lack of understanding of what a supply chain attack is. The built binaries may be vulnerable and it’s difficult to prove if they are or not, but if you update the binaries all the time they’re more (attack surface is larger) than if they’re only updated when absolutely necessary…
It’s just plain a poor argument and I’m tired of every armchair expert pretending that its not. People in high security environments aren’t using Ventoy. It’s just such a ridiculous argument.
Ventoy PXE used by iVentoy installing malware and fraudulent CA certs from… you guessed it, binary blobs. The primary dev is now in damage control in another issue and moving forward on updating the primary repo. Good on them.
iVentoy and Ventoy are two completely different softwares and have no shared files.
You seem to be implying that because iVentoy (which is not Ventoy) is vulnerable to this attack then that means that Ventoy is also vulnerable which is not only highly speculative, it remains to be seen.
Actually, when iVentoy boot Windows through PXE, it will boot the WinPE with test mode, so there is no need for the driver file to be signed. So httpdisk_sig.sys is actually not needed and can be removed later.
The dev goes on to explain;
the httpdisk driver will be installed only in the temporary WinPE environment (running in the RAM), not the final Windows system
The driver is singularly used in the PE environment. That’s it.
Is this a security issue? Sure. Is it as bad as everyone wants to make it out to be? Not really. From start to finish the Ventoy fever people seem to be getting by unsigned blobs is simply insane. Its a bout of hysteria and it’s not impressive at all.
Yes they are. The binaries for Ventoy aren’t even updated from release to release. It’s not even evident how old they are. So crying about an attack that only matters if these binaries are bleeding edge is absolutely a minor issue. I don’t even understand how someone of sound mind and body could possibly believe otherwise.
No one is making the argument that security doesn’t matter. No one is pushing the idea that Ventoy is secure. I’m saying singularly and only that a supply chain attack is just about the dumbest goddamn angle possible to bitch about Ventoy because I could argue that Ventoy would be more vulnerable than it is now to a supply chain attack if the binary blobs are built and updated every time you build a bootable drive. It’s just a truly fucking insane argument that shows a lack of understanding of what a supply chain attack is. The built binaries may be vulnerable and it’s difficult to prove if they are or not, but if you update the binaries all the time they’re more (attack surface is larger) than if they’re only updated when absolutely necessary…
It’s just plain a poor argument and I’m tired of every armchair expert pretending that its not. People in high security environments aren’t using Ventoy. It’s just such a ridiculous argument.
Just gonna drop this one in here.
https://github.com/ventoy/PXE/issues/106
Ventoy PXE used by iVentoy installing malware and fraudulent CA certs from… you guessed it, binary blobs. The primary dev is now in damage control in another issue and moving forward on updating the primary repo. Good on them.
So, yea, not a minor thing, even for Ventoy.
Directly from the developer:
You seem to be implying that because iVentoy (which is not Ventoy) is vulnerable to this attack then that means that Ventoy is also vulnerable which is not only highly speculative, it remains to be seen.
The dev goes on to explain;
The driver is singularly used in the PE environment. That’s it.
Is this a security issue? Sure. Is it as bad as everyone wants to make it out to be? Not really. From start to finish the Ventoy fever people seem to be getting by unsigned blobs is simply insane. Its a bout of hysteria and it’s not impressive at all.