Bugzilla Bug Exposes Zero-Day Bugs

← Back to Stories (view on slashdot.org)

Bugzilla Bug Exposes Zero-Day Bugs

Posted by samzenpus on Monday October 6, 2014 @03:00AM from the bug-hive dept.

tsu doh nimh writes A previously unknown security flaw in Bugzilla — a popular online bug-tracking tool used by Mozilla and many of the open source Linux distributions — allows anyone to view detailed reports about unfixed vulnerabilities in a broad swath of software. Bugzilla is expected today to issue a fix for this very serious weakness, which potentially exposes a veritable gold mine of vulnerabilities that would be highly prized by cyber criminals and nation-state actors.

34 comments

Min score:

Reason:

Sort:

Bug redux? by Anonymous Coward · 2014-10-06 03:01 · Score: 4, Funny

So I heard you like learning about bugs.
1. Re:Bug redux? by anomalous3 · 2014-10-06 19:04 · Score: 1
  
  I believe the appropriate phrase is "Yo Dawg"
2. Re:Bug redux? by anomalous3 · 2014-10-06 19:07 · Score: 1
  
  aww crap someone beat me to it
3. Re:Bug redux? by Anonymous Coward · 2014-10-06 23:06 · Score: 0
  
  So I heard you like bugs
  So I put a bug in your bug tracker
  So you can look at bugs while you're exploiting a bug
Nice going by ArcadeMan · 2014-10-06 03:04 · Score: 4, Insightful

So, instead of waiting for that to be patched, the news is spreading that people can use it to find security holes in a lot of software. I'm all for open formats, open source and whatnot, but this is not a good way to do things regarding security. Warn the people in charge of the project, not the general public.

--
Get free satoshi (Bitcoin) and Dogecoins
1. Re:Nice going by Vellmont · 2014-10-06 03:15 · Score: 4, Informative
  
  Warn the people in charge of the project, not the general public.
  
  This is exactly what was done.
  “An independent researcher has reported a vulnerability in Bugzilla which allows the manipulation of some database fields at the user creation procedure on Bugzilla, including the ‘login_name’ field,” said Sid Stamm, principal security and privacy engineer at Mozilla, which developed the tool and has licensed it for use under the Mozilla public license.
  “This flaw allows an attacker to bypass email verification when they create an account, which may allow that account holder to assume some privileges, depending on how a particular Bugzilla instance is managed,” Stamm said. “There have been no reports from users that sensitive data has been compromised and we have no other reason to believe the vulnerability has been exploited. We expect the fixes to be released on Monday.”
  
  --
  AccountKiller
2. Re:Nice going by jbolden · 2014-10-06 03:55 · Score: 4, Interesting
  
  CheckPoint who noticed this hole wanted to make a point about failure to audit in open source projects: essentially that no one actually audits open source projects unless they are paid to so someone should be paying for auditing. Mozilla foundation doesn't know if anyone actually had exploited this bug and it requires some specifics about how Bugzilla is setup.
3. Re:Nice going by kbg · 2014-10-06 03:58 · Score: 4, Funny
  
  Unfortunately they reported the zero day bug about Bugzilla into Bugzilla :)
Yo Dawg! by CajunArson · 2014-10-06 03:04 · Score: 4, Funny

We heard you like bugs. So we introduced a bug in your bug-reporting system so you can exploit one bug to exploit other bugs.

--
AntiFA: An abbreviation for Anti First Amendment.
1. Re:Yo Dawg! by TheCarp · 2014-10-06 03:19 · Score: 2
  
  I really think the original article made that joke so much better with the meme they included:
  http://krebsonsecurity.com/wp-...
  Leaving us to ponder, how many bugs would bug xibit enough for xibit to exhibit bugs?
  This whole thing is way too meta, I am going back to bed until it is over.
  
  --
  "I opened my eyes, and everything went dark again"
2. Re:Yo Dawg! by Chris+Mattern · 2014-10-06 03:27 · Score: 2
  
  And the other one:
  Bugception.
3. Re:Yo Dawg! by Anonymous Coward · 2014-10-06 03:28 · Score: 0
  
  One Bug To Rule All Other Bugs.
Headline does not match subject by Carewolf · 2014-10-06 03:23 · Score: 2

So you can register an account with an email from another domain? Still I know of no-bugzilla where security bugs are allowed to be seen by everybody from a certain domain. They are allowed to be seen by certain number of emails, and since they are already registered, you can't create a new account with one of those.
So, not really that much of an issue unless you have really wide permission to everybody from specific email domains.
1. Re:Headline does not match subject by Kjella · 2014-10-06 04:00 · Score: 2
  
  Any smallish company where security is not compartmentalized from other development activities but with a public Bugzilla server so users can report bugs and such? You register with a @company.com address and you're assumed to be an in-house developer with access to all your dirty laundry. Not everyone runs on a strict need-to-know basis...
  
  --
  Live today, because you never know what tomorrow brings
2. Re:Headline does not match subject by Dr.+Evil · 2014-10-06 04:47 · Score: 4, Interesting
  
  You get administrative rights, it's in the Checkpoint report in the article: http://www.checkpoint.com/blog...
  
  Analysis by Check Point security researchers revealed how this particular vulnerability could be exploited by attackers:
  1.The bug enables unknown users to gain administrative privileges
  2.By using these admin credentials, attackers can then view and edit private and undisclosed bug details. Software bug tracking data is typically closely guarded as it exposes software vulnerabilities and known issues
  3.Furthermore, this access allows attackers to exploit design weaknesses, or even irreversibly destroy bug data, slowing down development
  
  And have info about their disclosure:
  
  September 29th – Vulnerability discovered and verified by Check Point security researchers
  September 30th – Report submitted to the Bugzilla team
  September 30th – Acknowledgement and confirmation of vulnerability and severity received by Mozilla
  September 30th – Bugzilla team privately shared preliminary patch with prominent Bugzilla installations
  October 6th – Security advisory and final patch released
  
  The Checkpoint article is a lot more professional than the Krebs article No jabs at FOSS either.
  This looks like a major company which uses FOSS (IIRC, SPLAT is a Linux-based-platform) made a contribution in discovering a vulnerability in common software.
3. Re:Headline does not match subject by niftymitch · 2014-10-06 09:24 · Score: 1
  
  You get administrative rights, ......
  1.The bug enables unknown users to gain administrative privileges ......
  I suspect the NSA noticed they were not the only ones lurking and slurping up bugs.
  Too early in the season for snow to tell anyone they were done.
  
  --
  Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Zero-Day - redundant. by Anonymous Coward · 2014-10-06 03:23 · Score: 3, Insightful

What/why is this obsession/FUD with calling things "Zero-Day" bugs? Is this to suggest that bugs magically appear the 10th day or whatever after release?
A bug/exploit in the software is always there at the zero-day. Doesn't matter if it's found immediately or 20 years from release.
1. Re:Zero-Day - redundant. by TheCarp · 2014-10-06 03:33 · Score: 4, Informative
  
  I thought "Zero day" refered to when the bug or exploit became known to either the developer or public?
  Developers can't fix bugs they don't know about it, so "day zero" is really the day the fact that there is a bug becomes known and fixable. Up to that point, including while it is being used in the wild but not yet discovered, it is still "zero day"
  That is the obsession on both sides. Criminals want zero days because it means they are ahead of the game. Everyone else worries about them when they are discovered because there is always a question of whether it was already exploited.
  
  --
  "I opened my eyes, and everything went dark again"
2. Re:Zero-Day - redundant. by Anonymous Coward · 2014-10-06 03:39 · Score: 1
  
  A zero-day exploit is one where someone has an attack based on it prior to the developers having fixed it. See https://en.wikipedia.org/wiki/...
  That said, they do seem to be misusing the term here. These seem to be zero-day risks rather than exploits. Attackers don't need to find out about zero-day bugs from bug reports. By definition, they already know about them. Now, once they are exposed and an attack is created, they become zero-day exploits. But until a black hat creates and uses an attack, they are just dangerous bugs not zero-day bugs.
3. Re:Zero-Day - redundant. by TapeCutter · 2014-10-06 11:01 · Score: 1
  
  Software is released with known "limitations" and unknown bugs. Zero day is not the day of release (as I had previously believed), it's the day that the developer is made aware that an unknown bug has been released. Either way the definition reduces to "bug", so the only reason I can see to use it is that it sounds more exciting.
  
  --
  And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Paradox by Anonymous Coward · 2014-10-06 03:28 · Score: 0

Maybe this bug was leaked because of this bug?
Too much recursion....
*Head explodes*
meta-bug? by Anonymous Coward · 2014-10-06 03:57 · Score: 1

I never meta bug I didn't like
-anonymous black-hat
NSA is pissed! by GameboyRMH · 2014-10-06 04:01 · Score: 1

"NOOOO those were supposed to be private! Only for access to authorized Bugzilla users and those with the technical means to steal the information!!! Our precious cyberweapons, RUINED!!! T_T " - NSA

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
Bug in a bug by kbg · 2014-10-06 04:05 · Score: 4, Funny

Reminds of the day I called the software developer to report about a bug in the bug reporting software that made it unable to save a bug report. His response was (seriously): "Just create a bug report about the problem".
1. Re:Bug in a bug by raymorris · 2014-10-06 04:35 · Score: 1
  
  Did that report bug you?
2. Re:Bug in a bug by Anonymous Coward · 2014-10-06 04:52 · Score: 0
  
  Didn't you get the memo about the TPS reports?
3. Re:Bug in a bug by Anonymous Coward · 2014-10-06 05:30 · Score: 1
  
  I lost it in the fire.
4. Re:Bug in a bug by K.+S.+Kyosuke · 2014-10-06 06:39 · Score: 1
  
  Perhaps you were supposed to create the bug report in the bug tracker vendor's bug tracker? (Well, provided that *that* one would work.)
  
  --
  Ezekiel 23:20
5. Re:Bug in a bug by kbg · 2014-10-06 19:47 · Score: 1
  
  No this was an in-house bug tracking software. All our software products used the bug tracker including of course the bug tracker itself. There was a strict company policy that all bug reports should be created in the bug tracker and you should never contact the developer directly about bugs. No exceptions :)
There's an In Soviet Russia joke here somewhere... by cant_get_a_good_nick · 2014-10-06 04:56 · Score: 1

But my joke DB just came down with a SQL injection bug and the best it came up with was "20 bucks, same as in town"
Haha only serious by BillX · 2014-10-06 16:08 · Score: 1

(N)ation-(S)tate (A)ctors... I see what you did there.

--
Caveat Emptor is not a business model.