Renowned bug hunter Tavis Ormandy from Google’s Project Zero team recently found a Critical security flaw In Mozilla’s encryption code.

Many software vendors rely on third-party open source encryption tools, such as OpenSSL, Or simply connect to the encryption libraries built into the operating system itself, such as Microsoft’s Secure channel (Schannel) on Windows or Apple Secure transport On macOS and iOS.

But Mozilla has always used it Its own cryptographic library, Known as NSS, Short for Network security services, Instead of relying on third-party or system-level code.

Ironically, this bug is exposed when affected applications go out to test the encryption authenticity of digital signatures provided by content senders such as emails, PDF documents or web pages.

In other words, the very protection of you, by pre-checking if a user or site you are dealing with is impersonating …

… can, in theory, lead to hacking by the user or site.

As Ormandi shows in his bug report, it’s trivial to crash an app by exploiting this bug, and it’s no harder to do what might be called a “controlled crash”, which can usually be complicated into RCE, short for Remote code execution.

The vulnerability is officially known as CVE-2021-43527, But Ormandi laughed at him BigSig, Because it involves a buffer overflow triggered by sending a digitally signed signature in a cryptographic key that is larger than the largest key that NSS is programmed to expect.