FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangs
EwDoor botnet targets AT&T network edge devices at US firms
Android banking malware infects 300,000 Google Play users
Finland warns of Flubot malware heavily targeting Android users
Planned Parenthood LA discloses data breach after ransomware attack
Emotet now spreads via fake Adobe Windows App Installer packages
Former Ubiquiti dev charged for trying to extort his employer
Bulletproof hosting founder imprisoned for helping cybercrime gangs
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Mozilla fixes critical bug in cross-platform cryptography library
Mozilla has addressed a critical memory corruption vulnerability affecting its cross-platform Network Security Services (NSS) set of cryptography libraries.
NSS can be used to develop security-enabled client and server apps with support for SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and various other security standards.
The security flaw was found by Google vulnerability researcher Tavis Ormandy in NSS versions before 3.73 or 3.68.1 ESR—who also dubbed it BigSig—and is now tracked as CVE-2021-43527.
It can lead to a heap-based buffer overflow when handling DER-encoded DSA or RSA-PSS signatures in email clients and PDF viewers using vulnerable NSS versions (the bug has been fixed in NSS 3.68.1 and NSS 3.73).
The impact of successful heap overflow exploitation can range from program crashes and arbitrary code execution to bypassing security software if code execution is achieved.
This is a major memory corruption flaw in NSS, almost any use of NSS is affected. The Mozilla advisory is here https://t.co/AL8suyLQFF https://t.co/uTQ2gqRZ5t
“Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted,” Mozilla said in a security advisory issued today.
“Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS.”
“We believe all versions of NSS since 3.14 (released October 2012) are vulnerable,” Ormandy added on the Project Zero issue tracker.
“Mozilla plan to produce a thorough list of affected APIs – but the summary is any standard use of NSS is affected. The bug is simple to reproduce and affects multiple algorithms.”
Luckily, according to Mozilla, this vulnerability doesn’t impact the Mozilla Firefox web browser. However, all PDF viewers and email clients which use NSS for signature verification are believed to be impacted.
NSS is used by Mozilla, Red Hat, SUSE, and others in a wide variety of products, including:
“If you are a vendor that distributes NSS in your products, you will most likely need to update or backport the patch,” Ormandy said.
8-year-old HP printer vulnerability affects 150 printer models
New Windows zero-day with public exploit lets you become an admin
Microsoft shares temp fix for ongoing Office 365 zero-day attacks
Microsoft fixes Windows CVE-2021-40444 MSHTML zero-day bug
Magniber ransomware gang now exploits Internet Explorer flaws in attacks
Not a member yet? Register Now
Microsoft Defender scares admins with Emotet false positives
DNA testing firm discloses data breach affecting 2.1 million people
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

US universities targeted by Office 365 phishing attacks

Grafana fixes zero-day vulnerability after exploits spread over TwitterGoogle disrupts massive Glupteba…

Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware

Ukraine links members of Gamaredon hacker group to Russian FSBSamsung Galaxy S21…

Here are the new Emotet spam campaigns hitting mailboxes worldwide

Windows 10 21H2 is released, here are the new featuresNew Rowhammer technique…

US targets DarkSide ransomware, rebrands with $10 million reward

Ukraine links members of Gamaredon hacker group to Russian FSBSamsung Galaxy S21…