Date: Thu, 28 Mar 2024 09:58:59 -0400 (EDT)
Message-ID: <1456330424.481.1711634339164@windcrest.sei.cmu.edu>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_480_1542073493.1711634339162"
------=_Part_480_1542073493.1711634339162
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
Original release date: October 25, 2000 13:39:00 EDT
Last revised: October 25, 2000 14:12:23 EDT
Source: Sun Microsystems; CERT/CC
A complete revision history is at the end of this file.
- Systems relying on the validity of the Sun Microsystems certificates me=
ntioned below
Overview
To aid in the wide distribution of essential securi=
ty information, the CERT Coordination Center is forwarding the following in=
formation from Sun Microsystems. Sun urges you to act on this information a=
s soon as possible. Contact information for the Sun security team can be fo=
und in their bulletin, which is referenced in the =
vendor appendix to this document.
=
The description below is an excerpt from Sun Security Bulletin 198. The original text can be found h=
ere.
| |
Sun Microsystems, Inc. Security Bulletin
Bulletin Number: #00198
Date: October 24, 2000
Cross-Ref:
Title: Browser Certificates
Bulletin TopicsSun advises of a potential compromise of 2 s=
pecific security certificates which had limited distribution. Sun rec=
ommends that you follow the directions found at http://sunsolve5.sun.com/secbull/=
certificate_howto.html to determine if your web browser has accepted an=
y of the potentially compromised certificates.
Who is AffectedA web browser that has accepted a Sun certif=
icate with one the following serial numbers:
-
3181 B12D C422 5DAC A340 CF86 2710 ABE6 (Internet Explorer)
-
17:05:FB:13:A2:2F:9A:F3:C1:30:F5:62:6E:12:50:4C (Netscape)
Understanding the VulnerabilityWeb browsers accept security=
certificates from trusted sources. A specific certificate from Sun may hav=
e received outside exposure. Systems that encounter this certificate =
are potentially vulnerable to attack from malicious applets, applications o=
r components.
Corrective ActionFollow the instructions at http://sunsolve5.sun.=
com/secbull/certificate_howto.html to determine if your browser has acc=
epted one of the potentially compromised certificates. If your browser cont=
ains this particular certificate, follow the instructions to remove it. =
|
Additional information from the CERT/CC
Sun Microsystems has revok=
ed the certificates with the following serial numbers:=20
3181 =
B12D C422 5DAC A340 CF86 2710 ABE6
1705 =
FB13 A22F 9AF3 C130 F562 6E12 504C
You can confirm the revocation of these certificates at
https://digitalid.=
verisign.com/services/server/search.htm.
II. Im=
pact
Users who accept these certificates into their browse=
r may inadvertently run malicious code signed by the compromised certificat=
es. Any such code would appear to be from Sun Microsystems, thus creating a=
misleading sense of trust.
Re=
move the Compromised Certificates
Sun Microsystems has provided identification inform=
ation for the compromised certificates as well as instructions on how to re=
move them from common browsers. Users should follow Sun's instructions to=
remove these certificates from their browser and to prevent possible futur=
e addition.
Sun Microsystems
Sun's official copy=
of their bulletin can be found at:
- h=
ttp://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=3Dcoll&doc=3Dsecbull=
/198&type=3D0&nav=3Dsec.sba
The CERT Coordination Center thanks Sun Microsystems for bringing this i=
ssue to our attention.
Author: The CERT/CC portions of this document were written by Jeffrey P.=
Lanza. Feedback on this advisory is appreciated.
Copyright 2000 Carnegie Mellon University.
Revision History
October 25, 2000: Initial release
October 25, 2000: Updated author section and references to Sun Security Bu=
lletin 198.
------=_Part_480_1542073493.1711634339162--