Unknown Attacker Creeps into Bugzilla-the Open-Source Bug-and-Change Tracker
FREMONT, CA: Bugzilla, the open-source bug-and-change tracking database that Mozilla's developers use to log issues, has been accessed by an unknown attacker and information regarding 53 vulnerabilities was stolen; out of which at least one has been used to attack Firefox users.
Bugzilla generally discusses options before making changes as bugs are open to public; but some bugs, especially the ongoing security fixes are open to privileged account holders only.
The attack relied on the patch Mozilla released on August 6 2015, after reports specified that a Russian news site searched for sensitive files and uploaded them to a server in Ukraine. The developer had stolen files related to developer tools. The attacker was looking for information to understand the bugs uncovered on Bugzilla.
It has been spotted that the access to privileged account was taken way back in September 2014 and the attack was started a year before that. Mozilla says that out of the 53 critical vulnerabilities that were accessed by the hacker, 43 were already fixed; 3 of the remaining 10 were open, that is patch were being worked on and not yet issued. The attacker is suspected to have utilized the vulnerability entry of Bugzilla that was unhandled for 36 days.
The open-source developers/community has taken necessary steps to secure Bugzilla in the form of security-sensitive information to reset password, two-factor authentication and others. Richard Barnes, Security Lead, Mozilla explains that the company has also begun to reduce the number of users with privileged access and limit the access on what each privileged user can do.
Mozilla has advised the users to update the browser to Firefox 40, which has all the vulnerabilities patched for a secured browsing experience.
By Nancy S. Wolk, CIO, Alcoa - Global Business Services
By John Kamin, EVP and CIO, Old National Bancorp
By Gregg T. Martin, VP & CIO, Arnot Health
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
By Bryson Koehler, EVP & CIO, The Weather Company, an IBM...
By Gregory Morrison, SVP & CIO, Cox Enterprises
By Adrian Mebane, VP-Global Ethics & Compliance, The Hershey...
By Lowell Gilvin, Chief Process Officer, Jabil
By Dennis Hodges, CIO, Inteva Products
By Gerri Martin-Flickinger, CIO, Adobe Systems
By Walter Carvalho, VP& Corporate CIO, Carnival Corporation
By Mary Alice Annecharico, SVP & CIO, Henry Ford Health System
By Bernd Schlotter, President of Services, Unify
By Bob Fecteau, CIO, SAIC
By Kushagra Vaid, GM, Server Engineering, Microsoft
By Steve Beason, Enterprise CTO, Scientific Games
By Steve Bein, VP-GIS, Michael Baker International
By Jason Alan Snyder, CTO, Momentum Worldwide
By Jim Whitehurst, CEO, Red Hat
By Alberto Ruocco, CIO, American Electric Power