While much of the technology world has been consumed with the Shellshock vulnerability, which was first reported on Sept. 24, another big open-source vulnerability was disclosed the same day.
Both Mozilla and Google updated their Web browsers on Sept. 24 for a vulnerability that had been present in all prior releases. The updates fix a single issue in the core Network Security Services (NSS) library that is present in both Mozilla Firefox and Google Chrome. The new Mozilla update is Firefox 32.0.3, and the Google Chrome update is version 37.0.2062.124.
The NSS issue, identified as CVE-2014-1568, is a vulnerability that could enable a digital signature forgery attack. CVE-2014-1568 was reported to Mozilla by security researcher Antoine Delignat-Lavaud as well as Intel Security. Intel Security has dubbed the flaw BERserk.
“This issue is named ‘BERserk’ because the vulnerability is enabled by the incorrect parsing of certain BER (Basic Encoding Rules) encoded sequences in the implementation of RSA signature verification,” Intel Security stated in its advisory.
Intel Security General Manager Mike Fey wrote in a blog post that the BERserk vulnerability could have enabled an attacker to bypass Secure Sockets Layer (SSL) authentication security.
“Given that certificates can be forged for any domain, this issue raises serious concerns around integrity and confidentiality as we traverse what we perceive to be secure websites,” Fey wrote.
That’s a big deal. Given that a large number of people use the Firefox and Chrome Web browsers, the risk is nontrivial.
That said, both Google Chrome and Mozilla Firefox have excellent updating mechanisms for their respective users. As such, I would suspect that the vast majority of Chrome and Firefox users right now are not at risk from the BERserk vulnerability as their respective browsers have likely already been updated. However, that doesn’t mean that all those users were not at risk prior to Sept. 24, though there is no public indication at this point that the BERserk flaw has ever been exploited.
Similar with the Heartbleed SSL issue earlier this year, an attacker could bypass SSL. However, in that situation, the updates took more time as server administrators manually applied the patches.
SSL is an integral part of the modern Web, and vulnerabilities in its implementation, whether in the browser or on a server, should not be underestimated. Given the renewed emphasis in finding flaws in open-source security technologies, I suspect that more vulnerabilities will be found and patched in the weeks and months ahead.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.