Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bugzilla Bug Exposes Zero-Day Bugs

Posted by samzenpus on from the bug-hive dept.

tsu doh nimh writes A previously unknown security flaw in Bugzilla — a popular online bug-tracking tool used by Mozilla and many of the open source Linux distributions — allows anyone to view detailed reports about unfixed vulnerabilities in a broad swath of software. Bugzilla is expected today to issue a fix for this very serious weakness, which potentially exposes a veritable gold mine of vulnerabilities that would be highly prized by cyber criminals and nation-state actors.

2 of 34 comments (clear)

  1. Re:Nice going by Vellmont · · Score: 4, Informative


    Warn the people in charge of the project, not the general public.

    This is exactly what was done.

    “An independent researcher has reported a vulnerability in Bugzilla which allows the manipulation of some database fields at the user creation procedure on Bugzilla, including the ‘login_name’ field,” said Sid Stamm, principal security and privacy engineer at Mozilla, which developed the tool and has licensed it for use under the Mozilla public license.

    “This flaw allows an attacker to bypass email verification when they create an account, which may allow that account holder to assume some privileges, depending on how a particular Bugzilla instance is managed,” Stamm said. “There have been no reports from users that sensitive data has been compromised and we have no other reason to believe the vulnerability has been exploited. We expect the fixes to be released on Monday.”

    --
    AccountKiller
  2. Re:Zero-Day - redundant. by TheCarp · · Score: 4, Informative

    I thought "Zero day" refered to when the bug or exploit became known to either the developer or public?

    Developers can't fix bugs they don't know about it, so "day zero" is really the day the fact that there is a bug becomes known and fixable. Up to that point, including while it is being used in the wild but not yet discovered, it is still "zero day"

    That is the obsession on both sides. Criminals want zero days because it means they are ahead of the game. Everyone else worries about them when they are discovered because there is always a question of whether it was already exploited.

    --
    "I opened my eyes, and everything went dark again"