The Mozilla Foundation has issued a security alert informing users that they have updated a number of their products in order to fix a vulnerability that could allow an attacker to forge RSA certificate signatures and perform man-in-the-middle attacks.
The vulnerability has been known for some time, having been initially and famously reported by now-Google cryptographer, Daniel Bleichenbacher, at the International Cryptography Conference in 2006. However, Antoine Delignat-Lavaud, a security researcher at Inria Paris, only recently realized – and subsequently informed the maker of Firefox and other popular platforms – that the RSA signature forgery still bug affected a variety of Mozilla’s offerings.
The bug exists because of a lenient parsing process for Abstract Syntax Notation One (ASN.1) .
Delignat-Lavaud discovered that Mozilla’s Network Security Services (NSS) are vulnerable to a variant of a signature forgery attack previously published by Bleichenbacher. Affected products also include Firefox 32.0.3, Firefox Extended Support Release (ESR) 24.8.1 and 31.1.1, Thunderbird 31.1.2 and 24.8.1, SeaMonkey 2.29.1 and NSS 184.108.40.206, 3.16.5 and 3.17.1.
Firefox ESR 31.1.1, Firefox ESR 24.8.1, Thunderbird 31.1.1, and Thunderbird 24.8.1 have been updated and are now using NSS 220.127.116.11. Firefox 32.0.3 and SeaMonkey 2.29.1 have been patched as well and are now using NSS 3.16.5. Projects using NSS 3.17 should update the new 3.17.1 release, Mozilla says.