Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bugzilla Bug Exposes Zero-Day Bugs

Posted by samzenpus on from the bug-hive dept.

tsu doh nimh writes A previously unknown security flaw in Bugzilla — a popular online bug-tracking tool used by Mozilla and many of the open source Linux distributions — allows anyone to view detailed reports about unfixed vulnerabilities in a broad swath of software. Bugzilla is expected today to issue a fix for this very serious weakness, which potentially exposes a veritable gold mine of vulnerabilities that would be highly prized by cyber criminals and nation-state actors.

2 of 34 comments (clear)

  1. Re:Nice going by jbolden · · Score: 4, Interesting

    CheckPoint who noticed this hole wanted to make a point about failure to audit in open source projects: essentially that no one actually audits open source projects unless they are paid to so someone should be paying for auditing. Mozilla foundation doesn't know if anyone actually had exploited this bug and it requires some specifics about how Bugzilla is setup.

  2. Re:Headline does not match subject by Dr.+Evil · · Score: 4, Interesting

    You get administrative rights, it's in the Checkpoint report in the article: http://www.checkpoint.com/blog...

    Analysis by Check Point security researchers revealed how this particular vulnerability could be exploited by attackers:
    1.The bug enables unknown users to gain administrative privileges
    2.By using these admin credentials, attackers can then view and edit private and undisclosed bug details. Software bug tracking data is typically closely guarded as it exposes software vulnerabilities and known issues
    3.Furthermore, this access allows attackers to exploit design weaknesses, or even irreversibly destroy bug data, slowing down development

    And have info about their disclosure:

    September 29th – Vulnerability discovered and verified by Check Point security researchers
    September 30th – Report submitted to the Bugzilla team
    September 30th – Acknowledgement and confirmation of vulnerability and severity received by Mozilla
    September 30th – Bugzilla team privately shared preliminary patch with prominent Bugzilla installations
    October 6th – Security advisory and final patch released

    The Checkpoint article is a lot more professional than the Krebs article No jabs at FOSS either.

    This looks like a major company which uses FOSS (IIRC, SPLAT is a Linux-based-platform) made a contribution in discovering a vulnerability in common software.