
Improving Security for Bugzilla - haytjes
https://blog.mozilla.org/security/2015/09/04/improving-security-for-bugzilla/
======
0x0
So this is about how someone hacked Bugzilla, extracted sensitive information
about a vulnerability in Firefox' PDF engine, wrote a weaponized exploit for
it, deployed it as malvertising and stole some of the most sensitive files you
can get out of a user's computer...

...and then the FAQ document linked is a _PDF file_ with no styling beyond
something that could be done with HTML <h1>, <p> and <a>, hosted on a domain
"ffp4g1ylyit3jdyti1hqcvtb-wpengine.netdna-ssl.com".

Did I just get trolled?

~~~
yuhong
It if not a vulnerability in the PDF.js engine themselves.

~~~
0x0
The original advisory certainly seems to implicate the PDF viewer component?
[https://www.mozilla.org/en-
US/security/advisories/mfsa2015-7...](https://www.mozilla.org/en-
US/security/advisories/mfsa2015-78/)

~~~
azakai
Yes, but it has been fixed a while ago though. No one using up to date Firefox
would be vulnerable to that issue.

------
DaveWalk
Takeaway:

> We believe that the attacker used information from Bugzilla to exploit the
> vulnerability we patched on August 6...The version of Firefox released on
> August 27 fixed all of the vulnerabilities that the attacker learned about
> and could have used to harm Firefox users.

I find this an interesting attack vector for a capital-O Open Source project.
In the spirit of openness, how does a community correctly label bugs versus
vulnerabilities?

~~~
jquast
A: They don't.
[https://lkml.org/lkml/2008/7/15/705](https://lkml.org/lkml/2008/7/15/705)

> IOW, when we fix security issues, it's simply not even appropriate or
> relevant to you.

\- Linus

~~~
Nadya
Include full quotes of relevant information - because context is important.

The very next sentence following your quote:

 _> More importantly, when we fix them, your vendor probably won't have the
fix for at least another week or two in most cases anyway._

... ...

 _> We'd basically be announcing a bug that (a) may not be relevant to you,
but (b) _if_ it is relevant to you, you almost certainly won't actually have
fixed packages until a week or two later available to you!_

~~~
jquast
Well I didn't want to reproduce the entire thread. The basic summary is Linus
feels that labeling bugs as a security threat should not be pointed out as
such, rather keep such information private, even though the fix is public.

Because life is short. If you want security patches, find a vendor to help
filter the bad bugs from the big bugs for you.

In the meantime, hackers see the fix, recognize the security risk, and build
exploits long before your vendors even recognize it as a potential security
risk (probably only after it is exploited in the wild would they understand it
as such). Good luck with that.

~~~
geofft
Mozilla _is_ a vendor. Very few people get a Firefox rebuilt by a third party.
(And, in fact, Mozilla takes steps to make that more cumbersome to do legally
than just redistributing the upstream build.)

Linux is relatively unusual among security-sensitive free-software products in
neither being a vendor nor wanting to be a vendor.

------
jordigh
My, that sounded like a very boring title. I suppose saying something positive
like "Improving security for bugzilla" is a better way to present a story than
"someone has managed to attack Firefox users since August 6".

------
hackuser
How valuable is a Firefox vulnerability? On one hand, it seems very high: It
gives you access to hundreds of millions of computers. On the other, maybe the
supply of vulnerabilities that provide such access is high enough,
unfortunately, that they aren't worth much.

I ask because, if they are extremely valuable, I wonder if Bugzilla can be
adequately secured against the attackers it would attract. Perhaps it would be
best to store this information elsewhere until they are ready to make it
public.

------
kryptiskt
So this is basically sinking without a trace, likely thanks to the anodyne
title and the release on a Friday. Mozilla is going corporate.

~~~
zobzu
Having worked in many places and with many projects:

100 out of 100 corporations and most open source projects I know of would
simply have never ever told you about it.

So, while I'm sure Mozilla is more corporate than before in a thousand ways
this is not one of them.

