McAfee, part of Intel Security, has discovered a critical signature forgery vulnerability in the Mozilla Network Security Services (NSS) library.
James Walter, director of advanced threat research at Intel Security, says: “Ensuring user security and privacy on the Internet has always been a top priority at Intel Security. In the process of our ongoing research, the Intel Security Advanced Threat Research team discovered a critical signature forgery vulnerability in the Mozilla Network Security Services (NSS) crypto library.
“Dubbed ‘BERserk’, the vulnerability could be exploited to allow malicious parties to set up fraudulent web sites masquerading as legitimate web sites normally identified and protected by Secure Sockets Layer (SSL) authentication and encryption.
“Upon discovery of this issue, the Intel Security advanced threat research team notified Mozilla to facilitate the mitigation and resolution of the vulnerability. We also engaged CERT/CC to ensure that all affected parties are responsibly and effectively notified and given mitigation guidance on this issue, and to review other commonly used cryptographic libraries for similar issues.
“While Intel is unaware of any attacks exploiting BERserk, we strongly advise individuals and organisations using Firefox to take immediate action to update their browsers with the latest security update from Mozilla. Our customers using McAfee Vulnerability Manager will be protected from this vulnerability through that solution’s web security capabilities.”