On Wednesday, Mozilla patched a vulnerability in Network Security Services (NSS) libraries, which impacted its Firefox web browser, Thunderbird email client and SeaMonkey internet suite. The critical bug (CVE-2014-1568) was discovered by researcher Antoine Delignat-Lavaud and leaves NSS exposed to signature forgery attacks, which could “lead to the forging of RSA certificates,” a Mozilla security advisory said.
The NSS cryptographic library supports development of security-enabled client and service applications, according to a Mozilla developer page. In addition to Delignat-Lavaud, Intel Security's advanced threat research team independently discovered and reported the concern, Mozilla said.
The fix updates Firefox ESR 31.1.1 and version 24.8.1, as well as Thunderbird 31.1.1 and version 24.8.1 to NSS 126.96.36.199. SeaMonkey 2.29.1 and Firefox 32.0.3 were updated to NSS 3.16.5.