Bugzilla Breached, Private Vulnerability Data Stolen

← Back to Stories (view on slashdot.org)

Bugzilla Breached, Private Vulnerability Data Stolen

Posted by Soulskill on Friday September 4, 2015 @08:57AM from the harvesting-from-the-ripest-bush dept.

darthcamaro writes: Mozilla today publicly announced that secured areas of bugzilla, where non-public zero days are stored, were accessed by an attacker. The attacker got access to as many as 185 security bugs before they were made public. They say, "We believe they used that information to attack Firefox users." The whole hack raises the issue of Mozilla's own security, since it was a user password that was stolen and the bugzilla accounts weren't using two-factor authentication. According to Mozilla's FAQ about the breach (PDF), "The earliest confirmed instance of unauthorized access dates to September 2014. There are some indications that the attacker may have had access since September 2013."

10 of 97 comments (clear)

Min score:

Reason:

Sort:

Haha. by Anonymous Coward · 2015-09-04 08:59 · Score: 3, Insightful

You just can't make this stuff up.

I've come to the conclusion that human nature just does not allow good security. If you make something completely secure, you've spent way too much time on it and your competitors have beat you to market. People don't care.
Interesting Data Point by Bill+Hayden · 2015-09-04 09:09 · Score: 5, Interesting

The most interesting aspect of this, in my opinion, is that once the vulnerabilities were known to not be private anymore, the vendor (Mozilla in this case) immediately fixed all of them. Some bugs had been open for over 300 days. What this says to me is that by keeping vulnerabilities private, it makes vendors lazy about fixing them, and is another data point in favor of the "full disclosure" model of computer security.

--
Protect your browser with the Force Safe Search add-on
1. Re:Interesting Data Point by Anonymous Coward · 2015-09-04 09:22 · Score: 3, Interesting
  
  What this says to me
  I'm glad it's talking to you, and not that you're actually concluding anything, nor even making correct observations.
  It demonstrates that disclosure should occur after a certain limited time period, but not "full disclosure". No bug is fixed instantly, and Mozilla didn't "immediately" do anything - it just did so in short time.
  It never ceases to amuse me how binary nerds are in their answers to problems. Every real-world problem involves a nuanced solution which acknowledges extremes only as an initial, crude approximation reality.
  (Communists, libertarians, atheist-zealots and God-thumpers can fuck off for the same reasons.)
2. Re:Interesting Data Point by Anonymous Coward · 2015-09-04 09:37 · Score: 4, Insightful
  
  Absolutely true.
  There was one password stealing bug (javascript can steal focus between tabs) that I was tracking in Firefox for _over 2 years_ that kept getting deferred.
  Then one day, it got reported on one of the big security mailing lists. Suddenly, a new bug report got created and fixed within 2 days, and the 2 year old bug report got marked as a duplicate. The devs went on to pat themselves on the backs and crow publicly about how they fixed it so quickly.
3. Re:Interesting Data Point by radarskiy · 2015-09-04 10:51 · Score: 3, Insightful
  
  "it makes vendors lazy about fixing them"
  You cannot say this without knowing what they were doing instead of fixing these particular bugs. They may have correctly triaged the undisclosed bugs in terms of importance until disclosure forced less important bugs to a higher urgency.
4. Re:Interesting Data Point by DNS-and-BIND · 2015-09-04 21:29 · Score: 3, Insightful
  
  Oh, come on, that's bullshit, Mozilla hates fixing bugs and would much rather work on adding new features. Anytime someone tries to pull that "we are working on more important bugs" baloney, it means they're not working on anything. Those bugs will sit there unfixed for years, if they were actually prioritizing bugs they'd get fixed eventually. But, no. It's just a phrase they use to brush off criticism.
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Re:Chrome by Anonymous Coward · 2015-09-04 09:14 · Score: 5, Informative

Just one more reason to use Chrome. Firefox hasn't offered anything in years that Chrome doesn't do and does better, and since it's free and open source there's really no reason at all to stick with a legacy browsers.
Chromium is open source. Chrome is not.
*Mozilla* Bugzilla breached. Not all bugzillas by Da+w00t · 2015-09-04 09:21 · Score: 5, Informative

Please update the article title, JFC.

--

da w00t. mtfnpy?
Re:Lol by bob_super · 2015-09-04 10:02 · Score: 3, Interesting

Noscript + adblock + ghostery + gestures + faviconizetab + tabmixplus + Not_from_Google + Not_from_Apple + Not_from_MS + ...
Flip side: Higher priority bugs remain unfixed by davidwr · 2015-09-04 10:33 · Score: 4, Insightful

The most interesting aspect of this, in my opinion, is that once the vulnerabilities were known to not be private anymore, the vendor (Mozilla in this case) immediately fixed all of them
A better way of saying what really happened:

... is that once the vulnerabilities were known to not be private anymore, the vendor ... was forced to pull resources from more severe but still-believed-to-be-undisclosed bugs to get these patched, resulting in delays in getting those more-severe bugs fixed.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.