Developed by Mozilla but used by many projects, Bugzilla is open source software – and platform – for tracking bugs. Much of Bugzilla is public, but sensitive security information has restricted access.
Only certain users with an account having the appropriate authorizations can in theory access such information. An attacker, however, managed to compromise a privileged account and was able to steal information about vulnerabilities in Firefox and other Mozilla products.
According to the first elements of the Mozilla investigation, the unauthorized access dates back to September 2014 but the attacker's intrusion could have taken place as early as September 2013. The password Bugzilla would have been compromised because its legitimate user reused it for another site from which data has been exfiltrated.
The attacker was able to access 185 bugs not publicly disclosed – and on which the developers were working – 53 of which were high or critical. Of these, only 10 security bugs could be exploited before an effective correction in Firefox.
Attacks are not necessarily confirmed, except for a critical vulnerability which was corrected on August 6 (Firefox 39.0.3). In other words, Mozilla has corrected this vulnerability but an exploit was already in the wild. In this case, Mozilla had discovered an attack on a Russian news site via malicious advertisements enclosing the exploit code. It consisted of injecting a JavaScript script into the integrated PDF viewer to read and steal local files on a target machine.
Released on August 27, version 40.0.3 of Firefox fixes all the vulnerabilities for which the attacker could have learned. The compromised account was obviously closed and security improvements for Bugzilla are discussed.
The passwords of all Bugzilla users with an account allowing access to sensitive information on security bugs have been reset. They are also now required to use two-factor authentication.
In this case, Mozilla is very transparent. We regret, however, that Bugzilla users with sensitive accounts have not been made more aware beforehand of measures such as two-factor authentication or the fact of not reusing the same sensitive password elsewhere. However, we are hearing the ears of average users on this subject …
