Critical SSL flaw patched in Firefox, Thunderbird, Chrome
If you are a Mozilla Firefox, Thunderbird or Seamonkey user, you should implement the latest patches issued by the company as soon as possible, as they fix a critical bug whose exploitation can lead to successful Man-in-the-Middle attacks.
The bug affects all versions of the Mozilla NSS library, and makes it vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher, Mozilla has explained. “This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates.”
The severity of the flaw is also proved by the fact that US-CERT released an alert about it, in which they also warned that the vulnerable Mozilla NSS library is often included in 3rd party software, including Linux distributions, Google Chrome, Google OS and others.
Google has released a security update that fixes the bug for its Chrome stable channel, so Chrome users should update as well. Hopefully, patches for the other affected software will soon follow.
More technical details about the flaw can be found here.
The vulnerability has been reported both by Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, and the Advanced Threat Research team at Intel Security.