Ventoy PXE used by iVentoy installing malware and fraudulent CA certs from… you guessed it, binary blobs. The primary dev is now in damage control in another issue and moving forward on updating the primary repo. Good on them.
iVentoy and Ventoy are two completely different softwares and have no shared files.
You seem to be implying that because iVentoy (which is not Ventoy) is vulnerable to this attack then that means that Ventoy is also vulnerable which is not only highly speculative, it remains to be seen.
Actually, when iVentoy boot Windows through PXE, it will boot the WinPE with test mode, so there is no need for the driver file to be signed. So httpdisk_sig.sys is actually not needed and can be removed later.
The dev goes on to explain;
the httpdisk driver will be installed only in the temporary WinPE environment (running in the RAM), not the final Windows system
The driver is singularly used in the PE environment. That’s it.
Is this a security issue? Sure. Is it as bad as everyone wants to make it out to be? Not really. From start to finish the Ventoy fever people seem to be getting by unsigned blobs is simply insane. Its a bout of hysteria and it’s not impressive at all.
Just gonna drop this one in here.
https://github.com/ventoy/PXE/issues/106
Ventoy PXE used by iVentoy installing malware and fraudulent CA certs from… you guessed it, binary blobs. The primary dev is now in damage control in another issue and moving forward on updating the primary repo. Good on them.
So, yea, not a minor thing, even for Ventoy.
Directly from the developer:
You seem to be implying that because iVentoy (which is not Ventoy) is vulnerable to this attack then that means that Ventoy is also vulnerable which is not only highly speculative, it remains to be seen.
The dev goes on to explain;
The driver is singularly used in the PE environment. That’s it.
Is this a security issue? Sure. Is it as bad as everyone wants to make it out to be? Not really. From start to finish the Ventoy fever people seem to be getting by unsigned blobs is simply insane. Its a bout of hysteria and it’s not impressive at all.