Unknown Attacker Creeps into Bugzilla-the Open-Source Bug-and-Change Tracker
FREMONT, CA: Bugzilla, the open-source bug-and-change tracking database that Mozilla's developers use to log issues, has been accessed by an unknown attacker and information regarding 53 vulnerabilities was stolen; out of which at least one has been used to attack Firefox users.
Bugzilla generally discusses options before making changes as bugs are open to public; but some bugs, especially the ongoing security fixes are open to privileged account holders only.
The attack relied on the patch Mozilla released on August 6 2015, after reports specified that a Russian news site searched for sensitive files and uploaded them to a server in Ukraine. The developer had stolen files related to developer tools. The attacker was looking for information to understand the bugs uncovered on Bugzilla.
It has been spotted that the access to privileged account was taken way back in September 2014 and the attack was started a year before that. Mozilla says that out of the 53 critical vulnerabilities that were accessed by the hacker, 43 were already fixed; 3 of the remaining 10 were open, that is patch were being worked on and not yet issued. The attacker is suspected to have utilized the vulnerability entry of Bugzilla that was unhandled for 36 days.
The open-source developers/community has taken necessary steps to secure Bugzilla in the form of security-sensitive information to reset password, two-factor authentication and others. Richard Barnes, Security Lead, Mozilla explains that the company has also begun to reduce the number of users with privileged access and limit the access on what each privileged user can do.
Mozilla has advised the users to update the browser to Firefox 40, which has all the vulnerabilities patched for a secured browsing experience.
By Michael Hedges, VP and CIO, Medtronic
By Susan Doniz, Global CIO, Aimia
By Scott Welty, VP-Retail Strategy, JDA Software
By Deborah Gash, VP & CIO, Saint Luke’s Health System
By Bill Krivoshik, SVP & CIO, Time Warner Inc.
By Alberto Ruocco, CIO, American Electric Power
By Lisa Feldner, VC for Institutional Research & IT, North...
By Jim Kaskade, VP and GM, Big Data & Analytics, CSC
By Tom West, M.B.A., CIO, Nova Southeastern University
By Laura Jackson, Sr. Manager-Risk Management, ABS Consulting
By Bob Fecteau, CIO, SAIC
By Edward Grassia, CIO, Washoe County School District
By Henry Bailey, Global VP, Utilities IBU, SAP
By Elizabeth Hackenson, CIO & SVP of Global Business...
By Rosello, SVP & CIOO, Alliance Data Card Services
By Joseph Santamaria, CIO, PSEG [NYSE: PEG]
By Bill Schimikowski, VP, Customer Experience, Fidelity...
By Chad Lindbloom, CIO, C.H. Robinson
By Denise Zabawski, CIO, Nationwide Children's Hospital
By Charles Koontz, President & CEO, GE Healthcare IT & Chief...