Science & Technology

Here’s how to track and fix – Naked Security

Tavis Ormandy, a well-known bug hunter on Google’s Project Zero team, recently said Serious security flaw With Mozilla encryption code.

Many software vendors rely on third-party open source encryption tools such as: OpenSSL, Or simply connect to an encryption library built into the operating system itself, such as Microsoft Secure channel (Schannel) Windows or Apple Safe transportation On macOS and iOS.

But Mozilla is always Proprietary encryption library, Known as NSS,For short Network security serviceInstead of relying on third-party or system-level code.

Ironically, this bug becomes apparent when the affected application embarks on testing the authenticity of the digital signature encryption provided by the sender of content such as email, PDF documents, and web pages. Will be.

In other words, the very act of protecting you by checking in advance if the user or website you are dealing with is a scammer …

… Theoretically, you could be hacked by that user or website.

As Ormandy shows in a bug report, it’s easy to exploit this bug to completely crash an application, and it’s not too difficult to do what’s called a “controlled crash”. Remote code execution..

This vulnerability is officially known as: CVE-2021-43527, But Ormandy dubbed it jokingly BigSigThis is because it involves a buffer overflow caused by sending a digital signature signed with an encryption key that is larger than the largest key programmed as NSS expects.