Thunderbird 91.4.0 fixes BigSig vulnerability
The security vulnerability known as "BigSig" in Mozilla's crypto library NSS has been fixed.
David FischerThe security vulnerability known as BigSig in Mozilla's crypto library NSS has been fixed in Thunderbird 91.4.0. Additionally, the Seamonkey project has released an update for its web suite that also closes this gap.
At the beginning of December, Mozilla published a security announcement to document the vulnerability classified as critical CVE-2021-43527 in its crypto library NSS (Network Security Services). The Document Foundation reacted very quickly and provided security updates for LibreOffice, which had previously contained a vulnerable version of NSS.
Mozilla's Thunderbird mail program also uses NSS. Mozilla has now replaced the vulnerable NSS version in Thunderbird 91.4.0 with the secured version NSS 3.68.1. Mozilla has published a security report for the NSS vulnerability.
In the new Seamonkey 2.53.10.1 version, the NSS vulnerability has also been eliminated. The web suite is based on Firefox ESR and Thunderbird. Even if Seamonkey still uses a rather old code base of these programs (Firefox ESR 60.8, Thunderbird 60), the small development team tries to deliver at least all current security updates for Firefox and Thunderbird with each new Seamonkey version. In Seamonkey 2.53.10.1, the vulnerabilities that Mozilla closed in Firefox ESR 91.4.0 and Thunderbird 91.4.0 have been fixed. This includes the BigSig NSS gap.
Firefox is not affected by the NSS vulnerability, according to Mozilla. This also applies to the Tor Browser, which has now been updated to version 11.0.2 and is based on Firefox ESR 91.4.0.
The NSS vulnerability CVE-2021-43527 was discovered by Tavis Ormandy from Google Project Zero and named BigSig. When checking certain digital signatures with vulnerable NSS versions, memory errors can occur, which lead to the program crash. The reason: A signature of basically unlimited length is read into a buffer of fixed length - a classic programming error. Attackers could exploit this to smuggle in code using very long, appropriately prepared signatures that would be executed if the program crashed. Mozilla provided the secured versions NSS 3.68.1 and 3.73.
About Author
David Fischer
I am a technology writer for UpdateStar, covering software, security, and privacy as well as research and innovation in information security. I worked as an editor for German computer magazines for more than a decade before starting to be a team member at UpdateStar.