The Intel Security Advanced Threat Research Team has discovered a critical signature forgery vulnerability in the Mozilla Network Security Services (NSS) crypto library that could allow malicious parties to set up fraudulent sites masquerading as legitimate businesses and other organisations, accessible to Firefox users (20% of the Internet’s users).
“Ensuring user security and privacy on the Internet has always been a top priority at Intel Security,” said James Walter, Director, Intel Security Advanced Threat Research.
“Dubbed ‘BERserk’, the vulnerability could be exploited to allow malicious parties to set up fraudulent web sites masquerading as legitimate websites normally identified and protected by Secure Sockets Layer (SSL) authentication and encryption,” says James.
“Upon discovery of this issue, the Intel Advanced Threat Research team notified Mozilla to facilitate the mitigation and resolution of the vulnerability. We also engaged CERT/CC to ensure that all affected parties are responsibly and effectively notified and given mitigation guidance on this issue, and to review other commonly used cryptographic libraries for similar issues.”
He added, “While Intel is unaware of any attacks exploiting BERserk, we strongly advise individuals and organisations using Firefox to take immediate action to update their browsers with the latest security update from Mozilla.
McAfee will continue to update our customers, affected parties, and the broader consumer and business user communities as new details emerge.
For more information, please see McAfee blog post here: http://blogs.mcafee.com/?p=38215