You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

You are here: Known Vulnerabilities in Mozilla Products (Firefox > MFSA 2006-60

Mozilla Foundation Security Advisory 2006-60

Title: RSA Signature Forgery
Impact: Critical
Announced: September 14, 2006
Reporter: Philip Mackenzie, Marius Schilder
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox
  SeaMonkey 1.0.5
  Network Security Service (NSS) 3.11.3


Philip Mackenzie and Marius Schilder of Google informed us of Daniel Bleichenbacher's recent presentation of a common implementation error in RSA signature verification, a failure to account for extra data in the signature. For signatures with a small exponent such as 3 it is possible for an attacker to calculate a value for this extra data to make an altered message appear to be correctly signed, allowing the signature to be forged. Mozilla's Network Security Services (NSS) library was vulnerable to this flaw.

Because the set of root Certificate Authorities that ship with Mozilla clients contain some with an exponent of 3 it was possible to make up certificates, such as SSL/TLS and email certificates, that were not detected as invalid. This raised the possibility of the sort of Man-in-the-Middle attacks SSL/TLS was invented to prevent.

We thank Philip Mackenzie and Marius Schilder for bringing this result to our attention and working with us to ensure the NSS library was safe from variations on this basic attack.


None, upgrade to a fixed version.