Mozilla addresses bug allowing signature forgery in NSS | SC Media
Patch management

Mozilla addresses bug allowing signature forgery in NSS

September 25, 2014

On Wednesday, Mozilla patched a vulnerability in Network Security Services (NSS) libraries, which impacted its Firefox web browser, Thunderbird email client and SeaMonkey internet suite. The critical bug (CVE-2014-1568) was discovered by researcher Antoine Delignat-Lavaud and leaves NSS exposed to signature forgery attacks, which could “lead to the forging of RSA certificates,” a Mozilla security advisory said.

The NSS cryptographic library supports development of security-enabled client and service applications, according to a Mozilla developer page. In addition to Delignat-Lavaud, Intel Security's advanced threat research team independently discovered and reported the concern, Mozilla said.

The fix updates Firefox ESR 31.1.1 and version 24.8.1, as well as Thunderbird 31.1.1 and version 24.8.1 to NSS 3.16.2.1. SeaMonkey 2.29.1 and Firefox 32.0.3 were updated to NSS 3.16.5.

prestitial ad