Mozilla patches critical security flaw that impacts several popular software offerings
It seems that Firefox isn’t affected
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Googlecybersecurityresearchers have helped patch a critical memory corruption vulnerability affecting Mozilla’s cross-platform Network Security Services (NSS) set of cryptography libraries.
“I’ve discovered a critical vulnerability in Network Security Services (NSS). NSS is the Mozilla project’s cross-platform cryptography library. In 2021, all good bugs need a catchy name, so I’m calling this one “BigSig”,”writesGoogle Project Zero’s Tavis Ormandy
According to Ormandy, the vulnerability, tracked as CVE-2021-43527, and rated as critical, could have led to a heap-based buffer overflow while verifying DER-encoded DSA or RSA-PSS signatures in severalemail clientsandPDF viewersthat use the buggy NSS versions.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
Click here to start the survey in a new window«
Rated critical
Reporting on the developmentBleepingComputerexplains that NSS is used in the development of several security-enabled client and server apps and supports SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and various other security standards.
In his explanation, Ormandy adds that the bug probably affects all versions of NSS since 3.14, which was released almost a decade ago in October 2012. If exploited, the bug could cause the application to crash, or even enable attackers to execute arbitrary code.
Mozilla has fixed the bug in NSS 3.68.1 and NSS 3.73, and in itsadvisoryhas clarified that it doesn’t affectFirefox, Mozilla’s popularweb browser. Instead it believes thatopen sourceapps that use NSS for verifying signatures such asThunderbird,LibreOffice, Evolution email client, and Evince PDF reader could all be vulnerable.
If you are concerned about online security, use thesebest password managersto securely lock your accounts, and perhaps even use one of thesebest security keysto add another layer of protection
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
Quordle today – hints and answers for Saturday, November 9 (game #1020)
