Attention! If you use Mozilla products for Internet browsing and email, there is something you should know.
On September 24th, Mozilla released updates to combat a critical signature forgery vulnerability in the Mozilla Network Security Services (NSS) library normally found in Firefox, Thunderbird, SeaMonkey, and other Mozilla products. The Chrome browser is also affected, and Google has released a similar update to fix Chrome.
According to Mozilla’s Security Blog and Information Week’s Dark Reading site, “users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for legitimate sites. This could be used by attackers to trick victims into revealing personal information (like usernames and passwords) or downloading malware.”
Aptly named Berserk, the vulnerability was discovered by two different entities: the Intel Security Advanced Threat Research team and by the security researcher Antoine Delignat-Lavaud at Inria Paris at team Prosecco. Fortunately, no attacks have been made on the vulnerability. Also, Beserk is a variation on the Bleichenbacher PKCS#1 RSA Signature Verification vulnerability of 2006.
In addition to Google Chrome, the following applications and versions are affected and require updates to fix:
- Firefox 32.0.3
- Firefox for Android 32.0.3
- Firefox for Android 31.1.1
- Firefox ESR 31.1.1
- Firefox ESR 24.8.1
- Thunderbird 31.1.2
- Thunderbird 24.8.1
- SeaMonkey 2.29.1
For more information regarding the Berserk vulnerability, please see the following blogs and articles:
- Mozilla’s Security Blog
- Information Week’s Dark Reading Article
- Release Updates from the Google Chrome Team