Mozilla vulnerability goes BERserk

Security researchers have discovered critical forgery vulnerability in Mozilla’s Network Security Services (NSS) crypto library that could allow attackers to forge RSA certificates used to secure data transmissions.

“Dubbed BERserk, this vulnerability allows for attackers to forge RSA signatures, thereby allowing for the bypass of authentication to Web sites utilizing SSL/TLS,” said Mike Fey, chief technology officer of corporate products for security software firm McAfee Inc. “Given that certificates can be forged for any domain, this issue raises serious concerns around integrity and confidentiality as we traverse what we perceive to be secure Web sites.”

The Mozilla NSS library is used in the Firefox browser but is also found in Thunderbird, Seamonkey and other Mozilla products. BERserk was discovered by the Intel Security Advanced Threat Research team.

The vulnerability was called BERserk, because the attack exploits a vulnerability in the parsing of ASN.1 encoded messages during signature verification, said Fey. ASN.1 messages are made up of various parts that are encoded using BER (Basic Encoding Rules) and DER (Distinguished Encoding Rules).

Fey said BERserk is a variation of the 2006 Bleichenbacher PKCS#1 RSA Signature Verification vulnerability.

After discovering BERserk the Intel team contacted Computer Emergency Response Team (CERT) coordination centre, to ensure that the vulnerability’s existence is broadcasted and that affected organizations are given guidance to mitigate risks.

McAfee Vulnerability Manager will release an update to check for vulnerable systems and report their exposure but meanwhile, individual Firefox users can take some immediate action by updating their browsers with the latest patches from Mozilla said Fey.

Google has also released updates for Google Chrome and ChromeOS which also uses the NSS library.

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Nestor E. Arellano
Nestor E. Arellano
Toronto-based journalist specializing in technology and business news. Blogs and tweets on the latest tech trends and gadgets.

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now