Sunday, 6 September 2015

Firefox Users Attacked Using Information From Bugzilla

An attacker has certainly been a year of access to the bug system Mozilla and information about at least one unpatched vulnerability in Firefox used to attack users of the open source browser. That Mozilla via a blog posting yesterday disclosed.

Via Bugzilla registers Mozilla bugs and security vulnerabilities in various software projects, such as Firefox and the email client Thunderbird. Access is restricted to certain users. A user who had access to sensitive security information, the password for Bugzilla had also used on another website. This unnamed website was hacked, making the password into hands of the assailant came so access to the Bugzilla account users able to get.

As far as is known, the attacker had this way since September 2014 access to Bugzilla, but there is some evidence to suggest that the attacker since September 2013 on the account logging in. In this time, pushed the attacker information about 185 non-public bugs in Firefox. It is about 110 non-security related bugs, security issues and 53 minor 22 vulnerabilities as "high" or "critical" were labeled. Of these 53 vulnerabilities were patched 43 when she discovered the attacker. Mozilla allows the attacker the information on these 43 vulnerabilities probably can not use it to attack Firefox users.

Zero-Day Flaw

As regards the other 10 vulnerabilities, three of them were respectively 131, 157 and 335 days at the attacker known before appeared a patch. The other seven vulnerabilities were announced less than 36 days. "We think they used this information to attack Firefox users," said Richard Barnes of Mozilla. It is also about zero-day vulnerability patched Mozilla on August 6 and was used sensitive files to steal Firefox users. To the knowledge of Mozilla is not using information about the other nine vulnerabilities. On August 27 there appeared a new Firefox version in which all vulnerabilities were patched where the attacker had access.

Mozilla has decided because of the incident screwing the security of Bugzilla. All users who have access to sensitive security information have the password has been reset and the use of two-factor authentication obligatory. In addition, the number of users with special access restricted and what those users can do. This should make it more difficult for an attacker to gain access to an account and limit the amount of information that can be stolen at a successful attack.

No comments:

Post a Comment