Mozilla NSS fails to properly verify RSA signatures
This vulnerability may allow an attacker to forge a RSA signature, such as a SSL certificate.
Mozilla has released patch for this vulnerability (MSFA 2014-73). Mozilla NSS is used by other software products including a number of Linux distributions and packages, Google Chrome, and Google Chrome OS.
What users can do immediately
Individual Firefox browser users can take immediate action by updating their browsers with the latest patches from Mozilla.
Google has also released updates for Google Chrome and ChromeOS, as these products also utilize the vulnerable library.
The Intel Security Advanced Threat Research Team has discovered a critical signature forgery vulnerability in the Mozilla Network Security Services (NSS) crypto library that could allow malicious parties to set up fraudulent sites masquerading as legitimate businesses and other organizations.
The Mozilla NSS library, commonly utilized in the Firefox web browser, can also be found in Thunderbird, Seamonkey, and other Mozilla products. Dubbed “BERserk”, this vulnerability allows for attackers to forge RSA signatures, thereby allowing for the bypass of authentication to websites utilizing SSL/TLS. Given that certificates can be forged for any domain, this issue raises serious concerns around integrity and confidentiality as we traverse what we perceive to be secure websites.