Bugzilla Breached, Private Vulnerability Data Stolen

darthcamaro writes: Mozilla today publicly announced that secured areas of bugzilla, where non-public zero days are stored, were accessed by an attacker. The attacker got access to as many as 185 security bugs before they were made public. They say, "We believe they used that information to attack Firefox users." The whole hack raises the issue of Mozilla's own security, since it was a user password that was stolen and the bugzilla accounts weren't using two-factor authentication. According to Mozilla's FAQ about the breach (PDF), "The earliest confirmed instance of unauthorized access dates to September 2014. There are some indications that the attacker may have had access since September 2013."

Haha.

You just can't make this stuff up.

I've come to the conclusion that human nature just does not allow good security. If you make something completely secure, you've spent way too much time on it and your competitors have beat you to market. People don't care.

Re:Haha.

Yes, many are too lazy to spend the little extra time to do it correctly. I haven't been bitten yet, so why care?

Re:Haha.

Uh-huh.
And if you make it idiot-proof, then you can be pretty sure that only idiots will be going to use it. (*sigh!*)

Re: Haha.

I came here to type "Hahahahahahahaha who cares anymore?" This shit is unbelievable. Bugzilla is a terrible piece of software, as anyone who's ever used it knows. This is no surprise to me. WHY ARE PEOPLE USING BUGZILLA?

Re: Haha.

Rhymes with hogfood

Re: Haha.

because it is free.

Always remember: Open source is only free if your time is worthless.

Re: Haha.

Closed source is only free if... hm, I guess it's not. And of course, nobody has ever spent any time at all trying to delete that last fucking page of a Microsoft Word document.

Re: Haha.

Doesn't this assume that you spend every minute of your day earning money? If you spend time you wouldn't spend working using open source, how is that an actual loss? On paper, yes your time is 'wasted' but I can't imagine people who are productive 24 hours a day.
 
I hear people make this argument at work "It takes too much time to do do it cheaply and time is money!" Yes, if you're spending all 8 hours being productive. If you're standing there pounding the pooch anyway, it doesn't actually cost more for you to do your job properly.

Re: Haha.

Slow day for Microsoft shills?

http://itsfoss.com/97-percent-worlds-top-500-supercomputers-run-linux/

97 Percent Of The World’s Top 500 Supercomputers Run Linux

distrowatch.com

http://www.technobuffalo.com/2013/08/22/nsa-windows-8-exploit/
http://www.technobuffalo.com/2013/07/11/microsoft-gave-the-nsa-direct-backdoor-access-to-outlook-skype/
http://winsupersite.com/windows-10/how-stop-windows-10-upgrade-downloading-your-system
http://www.extremetech.com/computing/195592-with-windows-10-microsoft-could-move-to-a-subscription-based-model
http://www.extremetech.com/computing/205320-microsoft-windows-10-will-be-the-last-version-of-windows
https://www.youtube.com/watch?v=5GU5uv28a3I
http://techrights.org/2015/07/31/vista-10-anticompetitive/
https://www.youtube.com/watch?v=wwRYyWn7BEo
https://www.youtube.com/watch?v=Gghj03J_ri0
http://localghost.org/posts/a-traffic-analysis-of-windows-10
http://www.ghacks.net/2015/08/28/microsoft-intensifies-data-collection-on-windows-7-and-8-systems/

https://gitlab.com/windowslies/blockwindows
I suggest just copy the hosts file to your /etc folder. Disable Automatic updates and read every KB before you let it update/install in the future (forever). When Patch Tuesday or "some special scary news occasion" comes... just rename the hosts file to hosts_disable or similar while you do any updates you care to. Reboot and rename the hosts file back to hosts so it is detected.

Who would care to steal Bugzilla's bugs for Firefox? Maybe oh I don't know, look at any company with a complete CLOSED SOURCE GLOBAL SPYWARE OPERATING SYSTEM LIKE WINDOWS 10... or you know a company pushing a new browser.

Could be anybody sure because there is a buyer for that information.

Re: Haha.

Pirated.

Re: Haha.

Everything has a cost, whether financial or otherwise. Before I had children I wasted a lot of time doing meaningless things on the Internet, like filing almost 2,000 Bugzilla bugs. Now I don't have time for that shit as I'd much rather spend time with my son than waste it pointing out what a failure Firefox has become.

Re: Haha.

Bugzilla is an especially bad piece of software. I had to use it for years.

Here's the proof:
https://bugzilla.mozilla.org/show_bug.cgi?id=540

This bug was open since 1999 and survived a complete rewrite of bugzilla in a another language. Nice read if you have the time.

How someone could still use this piece of crap is beyond me. Especially Mozilla.

Re:Haha.

Indeed. I worked for software 'security' startup with security certifications and security is the least important priority. They have documented procedures that are demanded by the customers and they exist purely for show.
Some examples are:
- Most developers have full read/write access to customer data and many modify it without telling anyone (procedures require tickets).
- Vulnerabilities such as XSS are ignored by developers and we have to notify customers within 30 days by contract. Upper management orders to not tell customers.
- Support and sales share customer passwords over email ... threads get forwarded around with said passwords.
- Some of the third party libraries versions are up to decade old ... yet still maintained but the dev are afraid to upgrade.
- Some devs bring code from former employers and are praised for it.
- Lead devs have no understanding of unittesting and refuse to write them: it is QA job to find bugs.

And this is happening at a successful 'unicorn' startup, the customers are very large financial companies, health insurances, even foreign government agencies.

I can only conclude that security certifications are meaningless since the external auditors make no efforts whatsoever to confirm that the procedures are nothing more than TSA theater.

Re: Haha.

[shonangreg]

I know you geeks can be "eccentric", but I don't think you can pick up girls by claiming the way to fix this is to jog nude.

Re: Haha.

[Gerv]

There was no issue with the Bugzilla software here; the problem was that a user reused their password on another site, which suffered a breach.

Gerv

Re: Haha.

[Gerv]

The bug is unfixed for philosophical reasons, not because it's hard to fix. The Bugzilla developers feel history should be immutable.

And there has been no rewrite into another language since that bug was filed; Bugzilla as released by Mozilla has always been in Perl.

Gerv

Interesting Data Point

[Bill+Hayden]

The most interesting aspect of this, in my opinion, is that once the vulnerabilities were known to not be private anymore, the vendor (Mozilla in this case) immediately fixed all of them. Some bugs had been open for over 300 days. What this says to me is that by keeping vulnerabilities private, it makes vendors lazy about fixing them, and is another data point in favor of the "full disclosure" model of computer security.

Re:Interesting Data Point

Every time a vendor cries about a vulnerability being made public an angel gets its wings. Make the world a better place. Release immediately.

Re:Interesting Data Point

What this says to me

I'm glad it's talking to you, and not that you're actually concluding anything, nor even making correct observations.

It demonstrates that disclosure should occur after a certain limited time period, but not "full disclosure". No bug is fixed instantly, and Mozilla didn't "immediately" do anything - it just did so in short time.

It never ceases to amuse me how binary nerds are in their answers to problems. Every real-world problem involves a nuanced solution which acknowledges extremes only as an initial, crude approximation reality.

(Communists, libertarians, atheist-zealots and God-thumpers can fuck off for the same reasons.)

Re:Interesting Data Point

What does that have to do with Republican control of Bugzilla? They control it. They rule over the main contributors lives, just as they rule over nearly every minute of all of our lives. They control everything. They are why this world is so screwed-up. It is screwed-up, because they decided to screw it up. They're the ones that did this. They did this.

Re:Interesting Data Point

Absolutely true.

There was one password stealing bug (javascript can steal focus between tabs) that I was tracking in Firefox for _over 2 years_ that kept getting deferred.

Then one day, it got reported on one of the big security mailing lists. Suddenly, a new bug report got created and fixed within 2 days, and the 2 year old bug report got marked as a duplicate. The devs went on to pat themselves on the backs and crow publicly about how they fixed it so quickly.

Re:Interesting Data Point

After reading the article it seems like they held up on those last 10 severe vulnerabilities due to potential regressions.

Re:Interesting Data Point

[radarskiy]

"it makes vendors lazy about fixing them"

You cannot say this without knowing what they were doing instead of fixing these particular bugs. They may have correctly triaged the undisclosed bugs in terms of importance until disclosure forced less important bugs to a higher urgency.

Re: Interesting Data Point

Dude!

Re:Interesting Data Point

Do you have link for this bug? (surely you do since you were tracking it for _over 2 years_)

Re:Interesting Data Point

[DNS-and-BIND]

Oh, come on, that's bullshit, Mozilla hates fixing bugs and would much rather work on adding new features. Anytime someone tries to pull that "we are working on more important bugs" baloney, it means they're not working on anything. Those bugs will sit there unfixed for years, if they were actually prioritizing bugs they'd get fixed eventually. But, no. It's just a phrase they use to brush off criticism.

Re:Interesting Data Point

[citizenr]

"it makes vendors lazy about fixing them"

You cannot say this without knowing what they were doing instead of fixing these particular bugs.

we do know, they SAT ON THEM

Re:Interesting Data Point

[amorsen]

They may have correctly triaged the undisclosed bugs in terms of importance until disclosure forced less important bugs to a higher urgency.

They made the assumption that undisclosed bugs are unknown to blackhats. As the breach shows, that is a pretty bad assumption.

Basing importance on the disclosure status is a horrible policy, and the only effective antidote is immediate full disclosure without grace period.

Re:Interesting Data Point

[ioErr]

Most likely referring to this bug or one of its duplicates: https://bugzilla.mozilla.org/s...

Re:Chrome

Just one more reason to use Chrome. Firefox hasn't offered anything in years that Chrome doesn't do and does better, and since it's free and open source there's really no reason at all to stick with a legacy browsers.

Chromium is open source. Chrome is not.

*Mozilla* Bugzilla breached. Not all bugzillas

[Da+w00t]

Please update the article title, JFC.

Re:*Mozilla* Bugzilla breached. Not all bugzillas

You're asking Soulskill to expend effort on something. I wouldn't hold my breath.

Re: Republicans don't give a damn about security..

They hate us. You should never vote for someone that hates you.

Lol

People still use Firefox? ....No really, seriously.

Re:Lol

People still use Firefox? ....No really, seriously.

Tell us all the software you use, so that we may laugh at you.

Re:Lol

[bob_super]

Noscript + adblock + ghostery + gestures + faviconizetab + tabmixplus + Not_from_Google + Not_from_Apple + Not_from_MS + ...

Re: Lol

Is a list of things that will be gone in a year when Firefox removes their current extension API and forces everyone to use their current UX-driven monstrosity of a UI?

Re: Lol

Less than a year.

Re: Lol

And when they do, it's Pale Moon time.

Re: Lol

Mozilla Corporation will be bankrupt within 2 years of ending support for XUL extensions. Mark my words.

Noticeably absent is WHEN this happened

[93+Escort+Wagon]

Perhaps Mozilla discovered this long ago, but have spent all this time trying to ascertain the political opinions held by the attacker?

Re:Noticeably absent is WHEN this happened

I was waiting for the first post to blame this on SJWs. I knew it would happen. It happened. Huhuhh Eich resigned because he was a bigot, therefore Mozilla = evil, amirite?

Idiot.

Re:Noticeably absent is WHEN this happened

[nickweller]

"The earliest confirmed instance of unauthorized access dates to September 2014" ref

Re:Republicans don't give a damn about security...

My God! You idiot moderators! Can't you enjoy a little sarcasm every now and then? Stop being such politically correct morons!

I hate computers

[AndyKron]

I'm beginning to hate computers with a passion.

Re:I hate computers

[amicusNYCL]

Why? Computers only do what the programmers tell them to. What exactly do you hate about them?

Re:I hate computers

probably the same reason we all do.

They are wonderful when they work. But when they dont. They are frustrating lumps of plastic and sand.

Re: I hate computers

This, I find myself wanting to learn more about how to fix engines instead of programming. Which is sad because I've loved computers and all that comes with it for over 16 years. I am just growing tired of it all. I would rather tweak my dirtbike and fix my cars.

I may be becoming a gear head and not a puter nerd anymore:(

Maybe I'll learn to write firmware for cars or something. Who knows.

Re:I hate computers

[antdude]

Same here. I used to love computers, but these days I care not for them. Looking at the recent and newer stuff don't excite me anymore like those mobile, GUI, so many bugs, lack of support, security, so many updates, etc. Maybe it is my old age. :(

Re:I hate computers

[antdude]

Same here. It amazes me how easy they break in software and hardware. They're getting too complex. I prefer older stuff that just work well. :/

Bugzilla

[allo]

Nomen est Omen.

A return to priorities?

[SeaFox]

Gee Mozilla. Better get to work fixing those 185 vulnerabilities now, instead of sitting on them while you work on copying Chrome's look and feel or think of new unrelated tech ventures to get involved in.

Re:A return to priorities?

[0123456]

Fixing bugs is boring. Particularly when you're an SJW who wants to Save The World.

Re:A return to priorities?

This. And while you're at it, nobody wants multi-process tabs - that's Chrome shit. And a 64-bit version? Forget it. And improving your hardware acceleration? Nonsense. And don't even get me started on all the time you've wasted on implementing HTML5 features just to be more like Chrome. You lazy assholes.

Re: A return to priorities?

Then the solution would be to tell mozilla developers that bugs are homophobe sexist patriarchy turned into code

Re:A return to priorities?

http://www.engadget.com/2015/0...

No time to work on bugs when you're busy conducting a witch hunt because "blue-haired" is 100% actual hate speech. That and all their drum beating about diversity and culture, it's a wonder they've managed to get anything done of late.

Re:A return to priorities?

I work for Mozilla. So I am really getting a kick out of most of these replies. Some of you guys are very good at making it sound like you know what you are talking about. But trust me.... You don't. I think you just want to make yourself sound smart, when in reality you don't know what you are talking about. This is how bad info gets passed around. If you don't know about the topic....Don't make yourself sound like you do. Because some Slashdotters believe anything they hear.

Re:A return to priorities?

[F.Ultra]

Apparently most of the have been fixed a long time ago, the rationale behind the 185 number is that the account was compromised back in September 2013 and according to the user history he had looked at 185 bugs during that time frame.

Re:A return to priorities?

*Some* Slashdotters? Yikes, you greatly over-estimate us. The hivemind here is incredible. This is not a place for rational thought or logic. If I had a nickel for everytime people here just come up with some half-baked theory of everything that's wrong with [insert topic here], I'd still not be as rich as Rob Liefeld.

Re:A return to priorities?

You clearly have problems that not even the theoretical Mozilla you are arguing exists could solve.

Re:A return to priorities?

[tajribah]

The single fact that there was a high-security bug unfixed for at least 335 days (as admitted by Mozilla's FAQ) tells that there was something very seriously wrong in Mozilla's handling of security vulnerabilities. That is the reality and it should be passed around.

Re:A return to priorities?

Mozilla: Mozilla Corporation believe in promoting a tolerant and diverse workplace. Towards that end, employees who express opinions other than those approved by management will be fired.

Re:A return to priorities?

Uh-huh, so what do you have to say about this bullshit?. I see bad bugs hang around for years as well.

Re:A return to priorities?

Some bugs are harder to fix than others. Accidentally writing a zero byte one past the intended memory range might be easy to fix. (Mozilla received such a bug report, once, that was ultimately determined to be fully exploitable.) An architectural issue requiring a fundamental rethink of a particular area of code will be far harder to fix. If this bug was more similar to the latter than to the former, perhaps 335 days is -- well, more understandable, at least, even if not desirable or fully justifiable.

Re:A return to priorities?

[Lennie]

Do you really believe you can easily find developers that are really good at security code auditing and fixing security issues or use other developers and let them fix these security issues. I don't think these things are related.

Re:A return to priorities?

[tajribah]

I accept that some security bugs can be hard to fix. Still, it gives a clear message about the values held by the organization if copying Chrome's UI has higher priority than fixing security bugs.

Re:A return to priorities?

[SeaFox]

Firefox isn't one of those volunteer-staffed community projects. It has a large non-profit with paid developers backing it. Given all the people that use Firefox on a day-to-day basis to carry out sensitive health and financial-related tasks online, is it wrong to think Mozilla should hire a security-focused developer into the fold?

Re:A return to priorities?

That assumes developers are fungible, and that the developer who instead copies Chrome's UI, if we call it that, could be tasked with fixing security bugs instead. That certainly isn't the case for, say, an exploitable garbage collector bug.

Re:A return to priorities?

[tajribah]

Well, yes and no... Within a year, almost anybody can learn to fix a garbage collector.

Re: Chrome

Firefox isn't open source any more. If you were to build Firefox from source, you would be missing DRM modules and wouldn't be allowed to call it Firefox due to Mozilla's asinine take on trademark laws. Iceweasel is open source, Firefox is not.

Re:Republicans don't give a damn about security...

greenwow is a troll that regularly forgets to check Post Anonymously. It is the way of their kind. The trolls.

bugzilla...

got some bugs.

Flip side: Higher priority bugs remain unfixed

[davidwr]

The most interesting aspect of this, in my opinion, is that once the vulnerabilities were known to not be private anymore, the vendor (Mozilla in this case) immediately fixed all of them

A better way of saying what really happened:

... is that once the vulnerabilities were known to not be private anymore, the vendor ... was forced to pull resources from more severe but still-believed-to-be-undisclosed bugs to get these patched, resulting in delays in getting those more-severe bugs fixed.

Re:Flip side: Higher priority bugs remain unfixed

You have no proof of that at all. What I think happened is that some programmers who were inactive or working on the next new feature no one wants got reassigned to fixing bugs like they should have been doing all along.
Severity is something very subjective and full disclosure has a tendency to align the vendor's opinion with the user's opinion, which is a good thing.

Re:Flip side: Higher priority bugs remain unfixed

I guess we have to take their word for it since the nature of those other bugs aren't public. Do you trust Mozilla Corporation? Because I don't.

Mozilla has to do a full infrastructure review.

Given the nature of this breach, I think that Mozilla's only option is to perform a full security review of their entire infrastructure and all of their products.

I'm talking about every physical and virtual server that interacts with their network, including all servers, desktops, laptops and mobile devices. I'm talking about every software system, from Bugzilla to source repos to web servers to FTP servers to database servers to every other kind of software system they may be using.

I think that all of their products, including Firefox, Thunderbird and Rust, should also undergo a line-by-line security review to ensure that they weren't tampered with in any way.

The results should be presented to the public in a way that lets us know that they've done a thorough job of such a review, so that we can be confident that there are no more issues to be found.

Will it be costly? Probably. Will it take a lot of time and effort? Probably.

But if there was one breach, then I think we need some assurance that there weren't others. Given the nature of their products, and how critical security is to pretty much all of them, I think such a review is the only reasonable option.

Re:Mozilla has to do a full infrastructure review.

Given the nature of this breach, I think that Mozilla's only option is to perform a full security review of their entire infrastructure and all of their products.

"We have performed a full security review of our entire infrastructure and all of our products, and we recommend moving to a flat design on a rolling release schedule with a cadence of one release per week. In order to reduce the number of code paths and further simplify the process of regression testing, all variables in about:config will be disabled, and the entire UX will consist only of one hamburger menu. Users who don't believe this represents significant progress are welcome to submit their own bugs to our all-new FlatZilla bug tracking interface, which automatically marks every user-submitted bug as WONTFIX, thereby improving our metric of closing time on bugs and demonstrating Agility as we continue to bring the Web forward."

Re: Chrome

Hi. I build firefox from source and call it Firefox all the time. So does the browser, because I enabled the --enable-official-branding flag in my build script.

If they would FIX bugs, this would not happen

[swschrad]

Mozilla has a nasty habit of warehousing bugs that can't get fixed with the wave of a hand. that's why I quit the thing for Chrome a long time ago.

Re:If they would FIX bugs, this would not happen

[niftymitch]

Mozilla has a nasty habit of warehousing bugs that can't get fixed with the wave of a hand. that's why I quit the thing for Chrome a long time ago.

There is a rumor that the hack was from a couple personal residences
commuting distance from NATIONAL SECURITY AGENCY (NSA) HEADQUARTERS.

But that could be someone pulling yer leg.

It does tell me that layers of authentication and security for
companies and agencies very much needs attention.

We have an Email server that apparently contained email
at multiple levels. We have Snowden sitting at a desk able to
take screen shots of anything he cared to. We have hacks
of federal personnel files, Target and more...

Sadly Windows 10 could be an improvement but it does put
critical keys in the hands of a single company. But early inspection
of policy enforcement has discovered nothing to scream about.
News at 11:00 on the MS thing....

This is fire season on the Calif West coast and there are many many bells ringing
up and down Silicon valley. There is also a run on ear plugs.

And tonight, somewhere, an NSA agent ...

[davidwr]

... is crying.

translation

since it was a user password that was stolen and the bugzilla accounts weren't using two-factor authentication.

we're idiots.

Re: Chrome

So how DID you manage to build the closed source DRM modules that are required if you want to officially call your final product "Firefox"? Or did you just download them and use them that way? Firefox these days is exactly as open as Chrome is: you can build something that's almost the real thing from source, but you'll be missing "essential" components.

Is the hacker is gay?

Is the hacker gay ? That should be only question they are asking now.

If it was a womyn, she should be given an award.

When SJW diversity trumps competency...

[sethstorm]

...this kind of thing will happen. Hopefully they're competent enough to fix it.

Re: Chrome

No open source project ever has let people use the exact same name for their fork due to trademark, and just outright the confusion it would cause..

Re: Chrome

Except for Linux.

Funny that they made the FAQ a PDF

The one bug that is known to have been exploited is a pdf.js vulnerability where a script can search and upload local files. Are they trying to check if it's really fixed?

Poor Mozilla can't catch a break

Other then the die hard extension lovers who have always loved Firefox. I am not sure who else really thinks Firefox is worth even having on a device? Bugzilla
is a joke anyway and I see plenty of bugs get ignored which is why Firefox is so not loved by many anymore. How can you do so many updates and not really fix much?

Re: Chrome

[amorsen]

The Fedora build of Firefox is certainly built from source. It is still called Firefox.

Fedora is discussing whether it is feasible to continue with Firefox-branded Firefox due to the new signed-addon policy. But for now, you can certainly get your open source Firefox fix that way.

Re:Chrome

[Lennie]

And without Firefox lots of things Chrome/Chromium/Opera doesn't get to be standards.

Because it's Firefox (gecko) and Chrome/Chromium/Opera (blink) are ahead of the pack. You need at least 2 browser (engine) implementations to make a standard.

I would prefer multiple open source implementations and standards and not just a single open source implementation.

Standards is the only way how we can get rid of things like Flash.

"Breached"

[Linkreincarnate]

In completely unrelated news their bank account was also breached when a literal ton of money was deposited by Five Eyes.

Re: Mozilla has to do a full infrastructure review

Why isn't this marked funny?

Re: Chrome

[Gerv]

The code for the DRM module Firefox uses is not part of the Firefox build system, but is downloaded at runtime. This can be done whether it's a Firefox built by Mozilla or not. So the DRM question has no bearing on whether you can call your version Firefox or not.

This series of blog posts: http://blog.gerv.net/2010/01/p... explains why Mozilla doesn't let just anyone call their modified version "Firefox".

Gerv