Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug Security

Bugzilla Bug Exposes Zero-Day Bugs 34

tsu doh nimh writes A previously unknown security flaw in Bugzilla — a popular online bug-tracking tool used by Mozilla and many of the open source Linux distributions — allows anyone to view detailed reports about unfixed vulnerabilities in a broad swath of software. Bugzilla is expected today to issue a fix for this very serious weakness, which potentially exposes a veritable gold mine of vulnerabilities that would be highly prized by cyber criminals and nation-state actors.
This discussion has been archived. No new comments can be posted.

Bugzilla Bug Exposes Zero-Day Bugs

Comments Filter:
  • Bug redux? (Score:4, Funny)

    by Anonymous Coward on Monday October 06, 2014 @10:01AM (#48073423)

    So I heard you like learning about bugs.

  • Nice going (Score:5, Insightful)

    by ArcadeMan ( 2766669 ) on Monday October 06, 2014 @10:04AM (#48073435)

    So, instead of waiting for that to be patched, the news is spreading that people can use it to find security holes in a lot of software. I'm all for open formats, open source and whatnot, but this is not a good way to do things regarding security. Warn the people in charge of the project, not the general public.

    • Re:Nice going (Score:5, Informative)

      by Vellmont ( 569020 ) on Monday October 06, 2014 @10:15AM (#48073511) Homepage


      Warn the people in charge of the project, not the general public.

      This is exactly what was done.

      “An independent researcher has reported a vulnerability in Bugzilla which allows the manipulation of some database fields at the user creation procedure on Bugzilla, including the ‘login_name’ field,” said Sid Stamm, principal security and privacy engineer at Mozilla, which developed the tool and has licensed it for use under the Mozilla public license.

      “This flaw allows an attacker to bypass email verification when they create an account, which may allow that account holder to assume some privileges, depending on how a particular Bugzilla instance is managed,” Stamm said. “There have been no reports from users that sensitive data has been compromised and we have no other reason to believe the vulnerability has been exploited. We expect the fixes to be released on Monday.”

    • Re:Nice going (Score:5, Interesting)

      by jbolden ( 176878 ) on Monday October 06, 2014 @10:55AM (#48073791) Homepage

      CheckPoint who noticed this hole wanted to make a point about failure to audit in open source projects: essentially that no one actually audits open source projects unless they are paid to so someone should be paying for auditing. Mozilla foundation doesn't know if anyone actually had exploited this bug and it requires some specifics about how Bugzilla is setup.

    • by kbg ( 241421 ) on Monday October 06, 2014 @10:58AM (#48073809)

      Unfortunately they reported the zero day bug about Bugzilla into Bugzilla :)

  • Yo Dawg! (Score:5, Funny)

    by CajunArson ( 465943 ) on Monday October 06, 2014 @10:04AM (#48073439) Journal

    We heard you like bugs. So we introduced a bug in your bug-reporting system so you can exploit one bug to exploit other bugs.

  • by Carewolf ( 581105 ) on Monday October 06, 2014 @10:23AM (#48073595) Homepage

    So you can register an account with an email from another domain? Still I know of no-bugzilla where security bugs are allowed to be seen by everybody from a certain domain. They are allowed to be seen by certain number of emails, and since they are already registered, you can't create a new account with one of those.

    So, not really that much of an issue unless you have really wide permission to everybody from specific email domains.

    • by Kjella ( 173770 )

      Any smallish company where security is not compartmentalized from other development activities but with a public Bugzilla server so users can report bugs and such? You register with a @company.com address and you're assumed to be an in-house developer with access to all your dirty laundry. Not everyone runs on a strict need-to-know basis...

    • by Dr. Evil ( 3501 ) on Monday October 06, 2014 @11:47AM (#48074193)

      You get administrative rights, it's in the Checkpoint report in the article: http://www.checkpoint.com/blog... [checkpoint.com]

      Analysis by Check Point security researchers revealed how this particular vulnerability could be exploited by attackers:
      1.The bug enables unknown users to gain administrative privileges
      2.By using these admin credentials, attackers can then view and edit private and undisclosed bug details. Software bug tracking data is typically closely guarded as it exposes software vulnerabilities and known issues
      3.Furthermore, this access allows attackers to exploit design weaknesses, or even irreversibly destroy bug data, slowing down development

      And have info about their disclosure:

      September 29th – Vulnerability discovered and verified by Check Point security researchers
      September 30th – Report submitted to the Bugzilla team
      September 30th – Acknowledgement and confirmation of vulnerability and severity received by Mozilla
      September 30th – Bugzilla team privately shared preliminary patch with prominent Bugzilla installations
      October 6th – Security advisory and final patch released

      The Checkpoint article is a lot more professional than the Krebs article No jabs at FOSS either.

      This looks like a major company which uses FOSS (IIRC, SPLAT is a Linux-based-platform) made a contribution in discovering a vulnerability in common software.

      • You get administrative rights, ......
        1.The bug enables unknown users to gain administrative privileges ......

        I suspect the NSA noticed they were not the only ones lurking and slurping up bugs.
        Too early in the season for snow to tell anyone they were done.

  • by Anonymous Coward on Monday October 06, 2014 @10:23AM (#48073601)

    What/why is this obsession/FUD with calling things "Zero-Day" bugs? Is this to suggest that bugs magically appear the 10th day or whatever after release?

    A bug/exploit in the software is always there at the zero-day. Doesn't matter if it's found immediately or 20 years from release.

    • by TheCarp ( 96830 ) <sjc AT carpanet DOT net> on Monday October 06, 2014 @10:33AM (#48073655) Homepage

      I thought "Zero day" refered to when the bug or exploit became known to either the developer or public?

      Developers can't fix bugs they don't know about it, so "day zero" is really the day the fact that there is a bug becomes known and fixable. Up to that point, including while it is being used in the wild but not yet discovered, it is still "zero day"

      That is the obsession on both sides. Criminals want zero days because it means they are ahead of the game. Everyone else worries about them when they are discovered because there is always a question of whether it was already exploited.

    • by Anonymous Coward

      A zero-day exploit is one where someone has an attack based on it prior to the developers having fixed it. See https://en.wikipedia.org/wiki/... [wikipedia.org]

      That said, they do seem to be misusing the term here. These seem to be zero-day risks rather than exploits. Attackers don't need to find out about zero-day bugs from bug reports. By definition, they already know about them. Now, once they are exposed and an attack is created, they become zero-day exploits. But until a black hat creates and uses an attack, they

    • Software is released with known "limitations" and unknown bugs. Zero day is not the day of release (as I had previously believed), it's the day that the developer is made aware that an unknown bug has been released. Either way the definition reduces to "bug", so the only reason I can see to use it is that it sounds more exciting.
  • by Anonymous Coward

    I never meta bug I didn't like

    -anonymous black-hat

  • "NOOOO those were supposed to be private! Only for access to authorized Bugzilla users and those with the technical means to steal the information!!! Our precious cyberweapons, RUINED!!! T_T " - NSA

  • by kbg ( 241421 ) on Monday October 06, 2014 @11:05AM (#48073869)

    Reminds of the day I called the software developer to report about a bug in the bug reporting software that made it unable to save a bug report. His response was (seriously): "Just create a bug report about the problem".

    • Did that report bug you?

    • Perhaps you were supposed to create the bug report in the bug tracker vendor's bug tracker? (Well, provided that *that* one would work.)
      • by kbg ( 241421 )

        No this was an in-house bug tracking software. All our software products used the bug tracker including of course the bug tracker itself. There was a strict company policy that all bug reports should be created in the bug tracker and you should never contact the developer directly about bugs. No exceptions :)

  • But my joke DB just came down with a SQL injection bug and the best it came up with was "20 bucks, same as in town"

  • (N)ation-(S)tate (A)ctors... I see what you did there.

The opossum is a very sophisticated animal. It doesn't even get up until 5 or 6 PM.

Working...