Summary
Collision vulnerabilities in MD5 Checksums - It is possible to create different executables which have the same md5 hash.
The attacks remain limited, for now.
The attack allows blocks in the checksumm'd file to be swapped out for other blocks without changing the final hash.
This is an excellent vector for malicious developers to get unsafe code past a group of auditors,
perhaps to acquire a required third party signature. Alternatively, build tools themselves could be compromised
to embed safe versions of dangerous payloads in each build. A tool to demonstrate these vulnerabilities is available here.
- Reference
Doxpara Research - 2004-12-06
http://www.doxpara.com/
packet storm - md5_someday.pdf
http://packetstormsecurity.org/filedesc/md5_someday.pdf.html
via
TokuLog! - 2004-12-07http://tokuhirom.dnsalias.org/~tokuhirom/cl/2004-12-07.html#2004-12-07-6