Issue
A flaw in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates. Mozilla has released updates to fix this vulnerability and you should apply these updates to ensure your safety on the internet.
Impact to Users
Users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe it’s coming from a trusted site.
Status
The following updates have been released for Mozilla client products:
Firefox 32.0.3
Firefox for Android 32.0.3
Firefox for Android 31.1.1
Firefox ESR 31.1.1
Firefox ESR 24.8.1
Thunderbird 31.1.2
Thunderbird 24.8.1
SeaMonkey 2.29.1
Updates are also available for Beta and other development versions of these products.
Most users will receive these as automatic updates. In addition, they are available from our website for those who have disabled automatic updates (or from the Play store in the case of Firefox for Android).
Other products which incorporate the NSS library should upgrade their copy of NSS to one of the following:
NSS 3.16.2.1
NSS 3.16.5
NSS 3.17.1
Credit
We would like to thank the following researchers for reporting this issue:
Antoine Delignat-Lavaud of Inria Paris in team Prosecco
The Advanced Threat Research team at Intel Security
Additional information can be found in our advisory.
Martin wrote on
Daniel Veditz wrote on
Anonymous wrote on
pseudononymous wrote on
Christof Meerwald wrote on
Bobtail wrote on
Bobtail wrote on
Daniel Veditz wrote on
Don wrote on
Daniel Veditz wrote on