Your new post is loading...
An attacker with access to security-sensitive information about the Firefox web browser went unnoticed for up to two years, putting hundreds of millions of users at risk.
The attacker was able to spy on highly sensitive information by gaining access to a privileged account on Bugzilla@Mozilla, the bug tracking software the Mozilla corporation uses to store information about flaws in its software.
The company behind the popular web browser has revealed details of the breach in an FAQ document. It explains that the attacker gained access to information about 185 non-public bugs, of which 53 were classed as severe vulnerabilities.
Ten of those severe vulnerabilities were not fixed when the attacker became aware of them, meaning that they could have been used to attack Firefox, and at least one of them was used in-the-wild.
The window of opportunity to successfully exploit that bug was less than 36 days, but three of the bugs were known to the attacker and un-patched for far longer; two for more than 130 days and one for almost a year.
In the face of such an open window of opportunity, Mozilla's boilerplate assurance that "there is no indication that any of the other bugs the attacker accessed have been exploited" isn't very reassuring - absence of evidence is not evidence of absence after all.
Mozilla's bug tracking system appears to have been infiltrated because of password reuse by one of its privileged users.
Learn more / Mehr erfahren:
An attacker with access to security-sensitive information about the Firefox web browser went unnoticed for up to two years, putting hundreds of millions of users at risk.
The attacker was able to spy on highly sensitive information by gaining access to a privileged account on Bugzilla@Mozilla, the bug tracking software the Mozilla corporation uses to store information about flaws in its software.
The company behind the popular web browser has revealed details of the breach in an FAQ document. It explains that the attacker gained access to information about 185 non-public bugs, of which 53 were classed as severe vulnerabilities.
Ten of those severe vulnerabilities were not fixed when the attacker became aware of them, meaning that they could have been used to attack Firefox, and at least one of them was used in-the-wild.
The window of opportunity to successfully exploit that bug was less than 36 days, but three of the bugs were known to the attacker and un-patched for far longer; two for more than 130 days and one for almost a year.
In the face of such an open window of opportunity, Mozilla's boilerplate assurance that "there is no indication that any of the other bugs the attacker accessed have been exploited" isn't very reassuring - absence of evidence is not evidence of absence after all.
Mozilla's bug tracking system appears to have been infiltrated because of password reuse by one of its privileged users.
Learn more / Mehr erfahren:
https://gustmees.wordpress.com/2012/05/02/get-smart-with-5-minutes-tutorialsit-securitypart-1-browsers/
https://gustmeesde.wordpress.com/2014/12/16/browser-sind-das-einfallstor-fur-malware-sind-eure-browser-up-to-date/