Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-01-08 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Symantec AV linked to Verisign certificate problem, DUGallery, False Weather Alerts, more phishing

Published: 2004-01-08
Last Updated: 2004-01-08 21:26:15 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Verisign Certificate Expiration linked to Symantec AV issue

Today, a Verisign root certificate included with Internet Explorer expired. As a result, Verisign's certificate revocation list server was not able to handle all the requests from clients attempting to contact it as a result of the expiration.

Verisign, apparently to lower the load on its server, now resolves this server to non-routable 10/8 IP addresses 50% of the time.

Some applications, most notably Norton Antivirus, use this server to verify certificates. In the case of Norton Antivirus, it is used to verify its signature file.

As 50% of the time, users will not be able to contact Verisigns certificate revocation list, Norton Antivirus will stall.

Workarounds:

Verisign set the TTL of its DNS records rather short. So if you try after one minute again, you will likely get a valid IP address. If this is not an option, edit your hosts file and insert one of these IPs for 'crl.verisign.net':
198.49.161.200, 198.49.161.205, 198.49.161.206, 64.94.110.11.

However, this is not recommended as a long term solution, as these IPs may
change at any time.
http://slashdot.org/article.pl?sid=04/01/08/1849245&mode=thread&tid=126&tid=128&tid=172&tid=95

http://www.verisign.com/support/vendors/exp-gsid-ssl.html?sl=070807


Web Defacements

At least one web-defacement crew appears to use Google to find sites with
vulnerable versions of 'DUGallery' installed. Recently, a number of issues
regarding this product where posted to Bugtraq. As of this writing, no
updates are available.

http://seclists.org/lists/bugtraq/2003/Dec/0246.html

False Weather Alerts

A user reported that the "Weatherbug" application he is using is displaying
false weather alerts. We have not identified the source of the false alerts. According to the report we received, corrections followed shortly after the false warnings had been received.

Phishing sites of the day

We did receive reports about spam advertising a fake Citibank site.

-----------

Johannes Ullrich, SANS Institute, jullrich_AT_sans.org
Keywords:
0 comment(s)
Diary Archives