TMCnet News
Mozilla users under BERserk attack [ITWeb](ITWeb Via Acquire Media NewsEdge) The Intel Security Advanced Threat research team has discovered a signature forgery vulnerability in the Mozilla Network Security Services (NSS) crypto library, which it has named BERserk. According to James Walter, director of advanced threat research at Intel Security, the vulnerability could be exploited to allow malicious parties to set up fraudulent Web sites that pose as legitimate Web sites for businesses and other organisations normally protected by secure sockets layer (SSL) encryption. An attacker can forge the authentication between an end-user and their bank Web site. In such a "man-in-the-middle" scenario, all personal data communicated in the browser session can be intercepted and become compromised, says Mike Fey, chief technology officer of corporate products for security software at McAfee. Both integrity and confidentiality of the data exchanged in that session are at risk. "This vulnerability allows for attackers to forge RSA signatures, allowing for the bypass of authentication to Web sites utilising SSL/TLS," said Fey. "Given that certificates can be forged for any domain, this issue raises serious concerns around integrity and confidentiality as we traverse what we perceive to be secure Web sites." This issue is named BERserk because the vulnerability is enabled by the incorrect parsing of certain BER (Basic Encoding Rules) encoded sequences in the implementation of RSA signature verification - which enables the attack. The vulnerability is not new, but a variation on the Bleichenbacher PKCS#1 RSA Signature Verification vulnerability of 2006, he adds. Upon discovery, Intel engaged CERT Coordination Centre (CERT/CC) to ensure all affected parties are responsibly and effectively notified and given mitigation guidance on this issue, and to review other commonly used cryptographic libraries for similar issues, says Fey. CERT/CC (http://en.wikipedia.org/wiki/CERT_Coordination_Center) is the co-ordination centre of the computer emergency response team for Internet security incidents. The Intel Web site states Mozilla NSS library, commonly utilised in the Firefox Web browser, can also be found in Thunderbird, Seamonkey and other Mozilla products. Google has released updates for Google Chrome and ChromeOS, as these products also utilise the vulnerable library. McAfee Vulnerability Manager will release an update to check for vulnerable systems and report their exposure, says Intel. Also, the company will continue to review other potential mitigation methods and technologies and keep users up to date. (c) 2014 ITWeb Limited. All rights reserved. Provided by SyndiGate Media Inc. (Syndigate.info). |