Mozilla warns users of recently discovered security vulnerabilities
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
October 7, 2014
Earlier today, the Mozilla Foundation has warned of a number of recently discovered security vulnerabilities in its bug tracking tool that could offer hackers access to sensitive information about specific software projects in the industry.
For example, one particularly serious security hole allows attackers to completely bypass email verification phases when creating new Bugzilla accounts, meaning that attackers can create accounts with any email addresses they want.
And that's certainly bad enough, but it even gets worse-- Bugzilla can also be configured to automatically assign extra security privileges to accounts based on their email addresses.
This simply means that attackers can potentially utilize that security flaw to gain access to information about very critical and unpatched security flaws that would normally only be visible to insiders with high security clearance.
Check Point Software, which first spotted the security flaw, says this is the first such privilege-escalation bug to be found in the Bugzilla code over the past twelve years, and Mozilla has confirmed that the security flaw exists in all versions of Bugzilla going back to version 2.23.3 produced in 2006.
Luckily, Check Point Software disclosed that security bug to Mozilla on September 29 and the two firms have been working together to provide security patches, which shipped on Monday, by the way.
"While the email-based group inclusion could have been used to get access to employee-private bugs, we have seen no evidence that it was used," said Mozilla principal security and privacy engineer Sid Stamm.
"There have been no reports from users that sensitive data has been compromised and our investigation turned up no evidence that the security vulnerability had been exploited other than by the Check Point researchers," he added.
What's more, he added that, while Mozilla has already patched its own public Bugzilla server at bugzilla.mozilla.org, that installation was never configured to allow email-based privilege escalation. Still, Mozilla's server is certainly not the only one out there.
"Popular open source projects managing their security bugs using Bugzilla include Apache, Firefox, the Linux kernel, OpenSSH, Eclipse, KDE and GNOME, as well as several Linux distributions such as Ubuntu," Check Point said in a statement.
In addition to the privilege-escalation flaw, Monday's batch of security patches also resolve a few other bugs that could potentially leak data from Bugzilla servers, including cross-site scripting vulnerabilities, a bug that can allow certain flagged comments to be visible to users without the right security access, and an additional flaw that allows code injection into search result reports.
It looks like The Mozilla Foundation has its work cut out for itself in the neart term. Security patches and the latest stable release of the software can be downloaded from the Bugzilla project's website.
Source: The Mozilla Foundation.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!