Mozilla Foundation Security Advisory 2006-66

RSA Signature Forgery (variant)

Announced

November 7, 2006

Reporter

Ulrich Kuehn

Impact

Critical

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

Firefox 1.5.0.8
SeaMonkey 1.0.6
Thunderbird 1.5.0.8

Description

MFSA 2006-60 reported that RSA digital signatures with a low exponent (typically 3) could be forged. This flaw was corrected in the Mozilla Network Security Services (NSS) library version 3.11.3 used by Firefox 2.0 and current development versions of Mozilla clients.

Ulrich Kuehn reported that Firefox 1.5.0.7, which incorporated NSS version 3.10.2, was incompletely patched and remained vulnerable to a variant of this attack.

Workaround

None, upgrade to a fixed version.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=356215
CVE-2006-5462
MFSA 2006-60

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice