Google cybersecurity (opens in new tab) researchers have helped patch a critical memory corruption vulnerability affecting Mozilla’s cross-platform Network Security Services (NSS) set of cryptography libraries.
“I've discovered a critical vulnerability in Network Security Services (NSS). NSS is the Mozilla project's cross-platform cryptography library. In 2021, all good bugs need a catchy name, so I'm calling this one "BigSig",” writes (opens in new tab) Google Project Zero’s Tavis Ormandy
According to Ormandy, the vulnerability, tracked as CVE-2021-43527, and rated as critical, could have led to a heap-based buffer overflow while verifying DER-encoded DSA or RSA-PSS signatures in several email clients (opens in new tab) and PDF viewers (opens in new tab) that use the buggy NSS versions.
Rated critical
Reporting on the development BleepingComputer (opens in new tab) explains that NSS is used in the development of several security-enabled client and server apps and supports SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and various other security standards.
In his explanation, Ormandy adds that the bug probably affects all versions of NSS since 3.14, which was released almost a decade ago in October 2012. If exploited, the bug could cause the application to crash, or even enable attackers to execute arbitrary code.
Mozilla has fixed the bug in NSS 3.68.1 and NSS 3.73, and in its advisory (opens in new tab) has clarified that it doesn’t affect Firefox (opens in new tab), Mozilla’s popular web browser (opens in new tab). Instead it believes that open source apps that use NSS for verifying signatures such as Thunderbird (opens in new tab), LibreOffice (opens in new tab), Evolution email client, and Evince PDF reader could all be vulnerable.
If you are concerned about online security, use these best password managers (opens in new tab) to securely lock your accounts, and perhaps even use one of these best security keys (opens in new tab) to add another layer of protection
