Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-05-08 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Firefox 1.0.3 Alternate Workaround; OhMyGodGoogleIsGone!, Update: IPSec vuln announced

Published: 2005-05-08
Last Updated: 2005-05-10 01:38:48 UTC
by Tom Liston (Version: 1)
0 comment(s)

Firefox 1.0.3 Alternate Workaround




Thanks to VMM for pointing out that an alternate (and perhaps better) workaround for the recently announced remote code execution flaw in Firefox 1.0.3 is to disable ?remote software installation,? rather than disabling all Javascript. In the Win32 version of Firefox, this is accomplished by:



Tools | Options | Web Features | and clearing the ?Allow web sites to install software" checkbox.



Two Notes:



1) There is some question as to the availability of this setting in Firefox on platforms other than Windows... YMMV.

2) While this seems like a reasonable workaround, it has not been tested.



OhMyGodGoogleIsGone!




A few weeks back, when we reported some fairly widespread incidents of DNS Cache poisoning, we had quite a few people claiming that we were full of beans. Eventually, as we were able to piece together the full picture, we were proven right. (And, try as I may, I can?t recall receiving an apology from any of the folks who said we didn?t know what we were talking about...)



Flash forward to Google?s recent outage, and suddenly ?DNS Cache Poisoning? is the first word on everyone?s lips.



Sometimes I think the communal-mind created by the entire online community wears big, fuzzy, pink slippers, lives in a double-wide, and has a lifetime subscription to the Weekly World News.



Of course, we all know that nothing on the Internet is ever as it seems...



Google went bye-bye for 15 minutes. Or perhaps it was an hour. It depends on who you ask... (or how long your DNS server cached the bogus information).



This is, of course, one of several signs that Nostradamus predicted would signal the end days.



And while several people were quick to expound theories about what caused the outage, we prefer to stick with the simplest explanation (which is also what Google is saying...): it was a DNS issue. Somebody in charge of Google?s DNS did something dumb.



It fits the facts as we have heard them (?google.com? unavailable, but still reachable if you used the IP address).



But what of the mysterious ?redirects? to other search pages? Yesterday we reported that readers were seeing some suspicious ?redirects? to an alternate search engine called ?SoGoSearch.? It turns out that ?SoGoSearch? owns the domain name ?com.net,? and the machines ?www.google.com.net? and ?google.com.net? lead you to their search engine. So... if an overzealous browser tried to ?fix? an unavailable ?google.com,? it?s quite likely that you could end up looking at the SoGo search engine.



As an aside: The fact that you can do a WHOIS lookup and find a listing showing:



GOOGLE.COM.SU***.FIND.CRACKZ.WITH.SEARCH.*****.COM



doesn?t mean that the entire DNS system has been compromised. It simply means that someone with far too much time on their hands registered their nameserver with that goofy name.



Such childish stunts are widely acknowledged to increase your attractiveness to the opposite sex. Failing that, you can always slip on your big, fuzzy, pink slippers and spend your nights reading the Weekly World News.



------------------------------------------------------------------------

Handler on duty : Tom Liston - tom at intelguardians dot com
Keywords:
0 comment(s)
Diary Archives