Patch/Configuration Management, Vulnerability Management

Mozilla addresses bug allowing signature forgery in NSS

On Wednesday, Mozilla patched a vulnerability in Network Security Services (NSS) libraries, which impacted its Firefox web browser, Thunderbird email client and SeaMonkey internet suite. The critical bug (CVE-2014-1568) was discovered by researcher Antoine Delignat-Lavaud and leaves NSS exposed to signature forgery attacks, which could “lead to the forging of RSA certificates,” a Mozilla security advisory said.

The NSS cryptographic library supports development of security-enabled client and service applications, according to a Mozilla developer page. In addition to Delignat-Lavaud, Intel Security's advanced threat research team independently discovered and reported the concern, Mozilla said.

The fix updates Firefox ESR 31.1.1 and version 24.8.1, as well as Thunderbird 31.1.1 and version 24.8.1 to NSS 3.16.2.1. SeaMonkey 2.29.1 and Firefox 32.0.3 were updated to NSS 3.16.5.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.