Tech

Critical Mozilla vulnerability discovered

September 25, 2014

Researchers at Intel Security announced yesterday they have uncovered a critical vulnerability in the Mozilla Network Security Services (NSS) crypto library that could allow malicious parties to set up fraudulent sites masquerading as legitimate businesses and other organizations.

Dubbed “BERserk,” the vulnerability could allow an attacker to forge RSA signatures, thereby allowing the bypass of authentication to websites using Secure Sockets Layer or Transport Layer Security cryptographic protocols, known as SSL and TLS, respectively.

“Given that certificates can be forged for any domain, this issue raises serious concerns around integrity and confidentiality as we traverse what we perceive to be secure websites,” said Mike Fey, chief technology officer of Intel Security.

The Mozilla NSS library is commonly used in the Firefox Web browser, but it can also be found in Thunderbird, Seamonkey and other Mozilla products.

James Walter, director of advanced threat research at Intel Security, said the company notified both Mozilla and the U.S. Computer Emergency Readiness Team about the vulnerability. Although Intel Security is unaware of any attacks exploiting BERserk, Walter said Intel Security strongly advises individuals and organizations using Firefox to take immediate action to update their browsers with the latest security update from Mozilla.

Google has also released updates for Google Chrome and ChromeOS, as these products also utilize the vulnerable library.

Why it’s called BERserk

This attack exploits a vulnerability in the parsing of ASN.1 encoded messages during signature verification. ASN.1 messages are made up of various parts that are encoded using BER (Basic Encoding Rules) and/or DER (Distinguished Encoding Rules). This attack exploits the fact that the length of a field in BER encoding can be made to use many bytes of data. In vulnerable implementations, these bytes are then skipped during parsing. This condition enables the attack. BERserk is a variation on the Bleichenbacher PKCS#1 RSA Signature Verification vulnerability of 2006.

Source: Intel Security

Critical Mozilla vulnerability discovered

More Like This

Federal CIO calls on Congress to fund Technology Modernization Fund

DOJ ‘not aware of any’ identity theft, fraud following consultant’s data breach

How Google Cloud AI and Assured Workloads can enhance public sector security, compliance and service delivery at scale

Top Stories

Congressional panel outlines five guardrails for AI use in House

With 2023 tax season in the rearview, IRS commissioner eyes expansion of AI capabilities

CMS’s financial office is using LLM pilot to combat loss of institutional knowledge

Top public sector takeaways from Google Cloud Next 2024

Commerce requests information about AI, open data assets, data dissemination

Commerce adds five members to AI Safety Institute leadership

Kiran Ahuja to step down as OPM director

More Scoops

Identity-focused attacks remain the most vulnerable entry point to an organization

Insiders worry CISA is too distracted from critical cyber mission

Sen. Warner criticizes HHS and CISA for lack of coordination on cybersecurity, pushes for new cyber exec

DHS board: No one used software inventories to find vulnerable Log4j deployments

CISA directs civilian agencies to patch ‘critical’ VMware vulnerabilities

Federal agencies have until Dec. 24 to apply fixes for Log4Shell vulnerability

CISA issues cybersecurity incident, vulnerability response playbooks for federal agencies

Latest Podcasts

Critical Mozilla vulnerability discovered

Darryl Peek on Elastic’s role in enhancing public sector search and data analytics with AI and Google collaboration

Danny Werfel on How Automation has Enhanced his Agency’s Operations.

ManTech leaders discuss innovation and security with Google technologies

Tech

Defense

Cyber

Acquisition