SSL

Google Chrome and Mozilla Firefox Fix BERserk SSL Vulnerability

October 8, 2014 | By Editor 

Summary

Just hours after the Web-crippling-zero-flaw Shellshock was reported on September 24, the tech world was again consumed by another huge open-source flaw on the same day.

Called BERserk by Intel Security, the vulnerability enables hackers to forge RSA signatures and bypass valid mechanisms of sites.

SSL

Chrome and Firefox Patch BERserk Flaw

  • Both Google and Mozilla updated their browsers on September 24 for a flaw that was present in all their prior releases. The updates fixed a single issue in the core Network Security Services (NSS) library present in both Google Chrome and Mozilla Firefox. The NSS issue is a flaw that enables a digital signature forgery attack. It was first reported to Mozilla by a security researcher named Antoine Delignat-Lavaud as well as Intel Security.
  • The problem was named ‘BERserk’ because the flaw is enabled by incorrect parsing of certain BER (Basic Encoding Rules) that are encoded sequences in RSA sign verification implementation.
  • According to Mike Fey, Intel Security General Manager, the BERserk flaw could have enabled a hacker to bypass Secure Sockets Layer (SSL) authentication security.
  • Since SSL certificates play a vital role in browser security, this problem has raised serious concerns about the privacy and integrity sites. This is big deal, since a larger population use Chrome and Firefox Web browsers for various purposes. The risk being nontrivial.┬áThat having said, both Firefox and Chrome have superior updating mechanisms for their respective users.
  • It would not be a surprise that the vast majority of Firefox and Chrome users right now are not at risk from the BERserk flaw as their respective Web browsers have likely updated their SSL.
  • However, that does not guarantee that all those users were not at risk before September 24, though there is no indication that the BERserk vulnerability has ever been exploited.┬áSimilar with the Heartbleed SSL flaw earlier this year, a hacker could bypass SSL.
  • However, in the Heartbleed issue, the updates took longer time as server admins manually applied the fixes.
  • SSL is an important part of the modern Internet, and flaws in its implementation, regardless of whether in the server or browser, should not be undermined.
  • This year, Heartbleed, Shellshock, and BERserk were some of the biggest open-source flaws that crippled millions of sites on the Web, and Web-connected devices such as mobiles and routers.
  • Considering the recent emphasis in finding vulnerabilities in open-source security technologies, it is expected that more flaws will be found and fixed in the years ahead.

Wildcardssl

Posted in SSL

Be Sociable, Share!

Leave a Comment


 


* fields are mandatory