Firefox zero-days exposed after compromise of privileged account

Attacker was able to access security bugs for which Mozilla received reports before they were patched

An unknown attacker was able to make away with a veritable treasure trove of security flaws after compromising a privileged Mozilla account to gain unauthorized access to the company's Bugzilla bug tracker tool.

While the attacker used no security bugs to breach the account belonging to a privileged user – a compromised password was the apparent culprit – Mozilla documented at least one instance when a user accessed and exploited security-sensitive information normally kept out of public view.

"While most information in Bugzilla is public, Bugzilla restricts access to security-sensitive information, so that only certain privileged users can access it. It is in the same spirit of openness that we are disclosing today that someone was able to steal security-sensitive information from Bugzilla," wrote Mozilla Security Engineer Richard Barnes in a blog post on the Mozilla blog. "We believe they used that information to attack Firefox users. Mozilla has conducted an investigation of this unauthorized access, and we have taken several actions to address the immediate threat."

Mozilla quickly closed down the Bugzilla account once it detected the unauthorized access, and the company fixed 10 security bugs that the attacker could have leveraged in the most recent version of Firefox released on August 27, explained Barnes. In total, the attacker accessed 185 non-public Firefox bugs, of which 53 are classified as "severe vulnerabilities."

In a frequently asked questions [.pdf] that Mozilla released in tandem with its blog entry, the company outlined steps it took to prevent a reoccurrence. These included making it harder to break into Bugzilla accounts through the mandatory use of two-factor authentication and increasing the amount of auditing on privileged users to detect suspicious activities faster.

"We are reducing the access that each Bugzilla user is granted in order to limit the amount of information that could potentially be exposed in the event of unauthorized access," explained Mozilla. For now, the best way that users can protect themselves is to ensure that they are running the latest version of Firefox.

For more:
- read the Mozilla blog post
- review the Mozilla FAQ
- check out this article at The Inquirer
- see this article at Ars Technica

Related Articles:
Mozilla plugs critical vulnerabilities, adds 'opportunistic encryption' to latest Firefox browser
Mozilla plugs 5 critical holes in Firefox, other products
Google patches a dozen high-risk vulnerabilities in Chrome browser