Mozilla Patches RSA Signature Forgery in Firefox, Thunderbird, NSS

Users of Mozilla products should update Firefox, NSS, SeaMonkey and Thunderbird in order to obtain fixes for a bug that could let an attacker forge RSA certificates and perform man-in-the-middle attacks.

The Mozilla Foundation has issued a security alert informing users that they have updated a number of their products in order to fix a vulnerability that could allow an attacker to forge RSA certificate signatures and perform man-in-the-middle attacks.

The vulnerability has been known for some time, having been initially and famously reported by now-Google cryptographer, Daniel Bleichenbacher, at the International Cryptography Conference in 2006. However, Antoine Delignat-Lavaud, a security researcher at Inria Paris, only recently realized – and subsequently informed the maker of Firefox and other popular platforms – that the RSA signature forgery still bug affected a variety of Mozilla’s offerings.

The bug exists because of a lenient parsing processĀ for Abstract Syntax Notation One (ASN.1) .

Delignat-Lavaud discovered that Mozilla’s Network Security Services (NSS) are vulnerable to a variant of a signature forgery attack previously published by Bleichenbacher. Affected products also include Firefox 32.0.3, Firefox Extended Support Release (ESR) 24.8.1 and 31.1.1, Thunderbird 31.1.2 and 24.8.1, SeaMonkey 2.29.1 and NSS, 3.16.5 and 3.17.1.

Firefox ESR 31.1.1, Firefox ESR 24.8.1, Thunderbird 31.1.1, and Thunderbird 24.8.1 have been updated and are now using NSS Firefox 32.0.3 and SeaMonkey 2.29.1 have been patched as well and are now using NSS 3.16.5. Projects using NSS 3.17 should update the new 3.17.1 release, Mozilla says.

Suggested articles

Mozilla Bug Bounty Payouts Going Up

Mozilla announced that it has increased rewards for vulnerabilities submitted to its bug bounty program, and that for the first time it will pay for some bugs whose severity is rated moderate.