Representatives of Mozilla released a report about breaking bugtracker Bugzilla, according to which, unknown managed to steal information about 185 “non-public” vulnerabilities in Firefox and other products of Mozilla. Presumably, the hackers used these data to attack customers.
According to the official FAQ on the incident, the hackers infiltrated the system, gaining access to a kind of privileged account, and through him, to the closed deliberations. Investigation showed us that one of the users is obviously used the same password for Bugzilla, and other sites. One site was compromised as a result, the password was in the wrong hands. Having access to your account Bugzilla, they get to the information about the vulnerabilities in Firefox and other projects of Mozilla.
Unauthorized access to the bug tracker was hackers ago. The first confirmed case of unauthorized access is dated September 2014. Some evidence points to the fact that hackers may have had access to Bugzilla even longer – since September of 2013.
Total for this time the attackers gained access to 185 vulnerabilities. 110 of them did not relate to the problems of safety data about them were not disclosed because they were associated with proprietary information. 22 were assessed as a problem of moderate severity. 53 were assessed as critical. 10 bugs from the number of critical for a long time remained uncorrected condition, while 43 were promptly eliminated. As for the dozens, which hackers can take advantage of:
- 2 bug were removed in less than 7 days
- 5 of bugs fixed in a period of 7-36 days
- 3 bug remained uncorrected more than 36 days (131 days, 157 days and 335 days)
Now, representatives of Mozilla write that attackers seem to be used to attack some of the dozen unpatched at the time bugs.On one such problem the company has already told earlier, in August 2015. Then Firefox users threatened to advertising on Russian news sites. Using a hole in Firefox, Malvar smuggle confidential data on users supposedly Ukrainian server.Specifically, the vulnerability was closed August 6, 2015.
Representatives of Mozilla report that referred to a privileged account is closed and an investigation into the incident attracted experts from – certain company. The latest release of Firefox, released August 27, 2015, all these vulnerabilities were successfully corrected for all platforms.