CVE-2014-1544

Name of the Vulnerable Software and Affected Versions Mozilla Network Security Services (NSS) versions 3.x Firefox versions prior to 31.0 Firefox ESR versions prior to 24.7 Thunderbird versions prior to 24.7

Description The issue is related to a use-after-free vulnerability in the CERT DestroyCertificate function in libnss3.so, which allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain. This vulnerability affects Mozilla Network Security Services (NSS) and is used in Firefox, Firefox ESR, and Thunderbird.

Recommendations For Mozilla Network Security Services (NSS) version 3.x, update to a version that contains a fix for this issue. For Firefox versions prior to 31.0, update to version 31.0 or later. For Firefox ESR versions prior to 24.7, update to version 24.7 or later. For Thunderbird versions prior to 24.7, update to version 24.7 or later. As a temporary workaround, consider restricting access to the CERT DestroyCertificate function until a patch is available.