Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bugzilla Bug Exposes Zero-Day Bugs

Posted by samzenpus on from the bug-hive dept.

tsu doh nimh writes A previously unknown security flaw in Bugzilla — a popular online bug-tracking tool used by Mozilla and many of the open source Linux distributions — allows anyone to view detailed reports about unfixed vulnerabilities in a broad swath of software. Bugzilla is expected today to issue a fix for this very serious weakness, which potentially exposes a veritable gold mine of vulnerabilities that would be highly prized by cyber criminals and nation-state actors.

10 of 34 comments (clear)

  1. Bug redux? by Anonymous Coward · · Score: 4, Funny

    So I heard you like learning about bugs.

  2. Nice going by ArcadeMan · · Score: 4, Insightful

    So, instead of waiting for that to be patched, the news is spreading that people can use it to find security holes in a lot of software. I'm all for open formats, open source and whatnot, but this is not a good way to do things regarding security. Warn the people in charge of the project, not the general public.

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Nice going by Vellmont · · Score: 4, Informative


      Warn the people in charge of the project, not the general public.

      This is exactly what was done.

      “An independent researcher has reported a vulnerability in Bugzilla which allows the manipulation of some database fields at the user creation procedure on Bugzilla, including the ‘login_name’ field,” said Sid Stamm, principal security and privacy engineer at Mozilla, which developed the tool and has licensed it for use under the Mozilla public license.

      “This flaw allows an attacker to bypass email verification when they create an account, which may allow that account holder to assume some privileges, depending on how a particular Bugzilla instance is managed,” Stamm said. “There have been no reports from users that sensitive data has been compromised and we have no other reason to believe the vulnerability has been exploited. We expect the fixes to be released on Monday.”

      --
      AccountKiller
    2. Re:Nice going by jbolden · · Score: 4, Interesting

      CheckPoint who noticed this hole wanted to make a point about failure to audit in open source projects: essentially that no one actually audits open source projects unless they are paid to so someone should be paying for auditing. Mozilla foundation doesn't know if anyone actually had exploited this bug and it requires some specifics about how Bugzilla is setup.

    3. Re:Nice going by kbg · · Score: 4, Funny

      Unfortunately they reported the zero day bug about Bugzilla into Bugzilla :)

  3. Yo Dawg! by CajunArson · · Score: 4, Funny

    We heard you like bugs. So we introduced a bug in your bug-reporting system so you can exploit one bug to exploit other bugs.

    --
    AntiFA: An abbreviation for Anti First Amendment.
  4. Zero-Day - redundant. by Anonymous Coward · · Score: 3, Insightful

    What/why is this obsession/FUD with calling things "Zero-Day" bugs? Is this to suggest that bugs magically appear the 10th day or whatever after release?

    A bug/exploit in the software is always there at the zero-day. Doesn't matter if it's found immediately or 20 years from release.

    1. Re:Zero-Day - redundant. by TheCarp · · Score: 4, Informative

      I thought "Zero day" refered to when the bug or exploit became known to either the developer or public?

      Developers can't fix bugs they don't know about it, so "day zero" is really the day the fact that there is a bug becomes known and fixable. Up to that point, including while it is being used in the wild but not yet discovered, it is still "zero day"

      That is the obsession on both sides. Criminals want zero days because it means they are ahead of the game. Everyone else worries about them when they are discovered because there is always a question of whether it was already exploited.

      --
      "I opened my eyes, and everything went dark again"
  5. Bug in a bug by kbg · · Score: 4, Funny

    Reminds of the day I called the software developer to report about a bug in the bug reporting software that made it unable to save a bug report. His response was (seriously): "Just create a bug report about the problem".

  6. Re:Headline does not match subject by Dr.+Evil · · Score: 4, Interesting

    You get administrative rights, it's in the Checkpoint report in the article: http://www.checkpoint.com/blog...

    Analysis by Check Point security researchers revealed how this particular vulnerability could be exploited by attackers:
    1.The bug enables unknown users to gain administrative privileges
    2.By using these admin credentials, attackers can then view and edit private and undisclosed bug details. Software bug tracking data is typically closely guarded as it exposes software vulnerabilities and known issues
    3.Furthermore, this access allows attackers to exploit design weaknesses, or even irreversibly destroy bug data, slowing down development

    And have info about their disclosure:

    September 29th – Vulnerability discovered and verified by Check Point security researchers
    September 30th – Report submitted to the Bugzilla team
    September 30th – Acknowledgement and confirmation of vulnerability and severity received by Mozilla
    September 30th – Bugzilla team privately shared preliminary patch with prominent Bugzilla installations
    October 6th – Security advisory and final patch released

    The Checkpoint article is a lot more professional than the Krebs article No jabs at FOSS either.

    This looks like a major company which uses FOSS (IIRC, SPLAT is a Linux-based-platform) made a contribution in discovering a vulnerability in common software.