Last revised: October 25, 2000 14:12:23 EDT
Source: Sun Microsystems; CERT/CC
A complete revision history is at the end of this file.
To aid in the wide distribution of essential security information,
the CERT Coordination Center is forwarding the following information
from Sun Microsystems. Sun urges you to act on this information as
soon as possible. Contact information for the Sun security team can
be found in their bulletin, which is referenced in the vendor appendix to this document.
The description below is an excerpt from Sun
Security Bulletin 198. The original text can be found here.
Systems Affected
Overview
I. Description
| |
Date: October 24, 2000 Cross-Ref: Title: Browser Certificates
|
Additional information from the CERT/CC
Sun Microsystems has revoked the certificates with the following serial numbers: You can confirm the revocation of these certificates at https://digitalid.verisign.com/services/server/search.htm.II. Impact
Users who accept these certificates into their browser may
inadvertently run malicious code signed by the compromised
certificates. Any such code would appear to be from Sun Microsystems,
thus creating a misleading sense of trust.
Sun Microsystems has provided identification information for the
compromised certificates as well as instructions on how to remove them
from common browsers. Users should follow Sun's
instructions to remove these certificates from
their browser and to prevent possible future addition.
The CERT Coordination Center thanks Sun Microsystems for bringing
this issue to our attention.
Author: The CERT/CC portions of this document were written by Jeffrey P. Lanza.
Feedback on this advisory is appreciated.
Copyright 2000 Carnegie Mellon University. Revision History
III. Solution
Remove the Compromised Certificates
Appendix A. Vendor Information
Sun Microsystems
Sun's official copy of their bulletin can be found at:
October 25, 2000: Initial release
October 25, 2000: Updated author section and references to Sun Security Bulletin 198.