Monday, September 21, 2015

Bugzilla patch for PerimeterX privilege problem

Firefox, the browser client not the crappy Clint Eastwood movie, is built upon a background of open collaboration. Mozilla, which describes itself as “a global community of technologists, thinkers and builders working together to keep the Internet alive and accessible, so people worldwide can be informed contributors and creators of the Web”, is the organisation behind Firefox. According to Mozilla, around 40 per cent of the Firefox codebase is written by volunteers. According to Richard Barnes, the Firefox security lead at Mozilla, the Bugzilla bug tracker is “a major part of how we accomplish our mission of openness” and while much of the Bugzilla information is in the public domain “Bugzilla restricts access to security-sensitive information so that only certain privileged users can access it.” At the start of September, Mozilla revealed that not only had Bugzilla been breached but the security-sensitive information stolen was used to attack Firefox users. It seems that a Bugzilla account was compromised and a particular vulnerability being discussed was exploited. Although Richard Barnes states that the account was closed down “shortly after Mozilla discovered that it had been compromised” there is no indication of how long it had been actively compromised. However, the version of Firefox released on 27th August is said to have fixed all of the vulnerabilities that could have been exploited using the information gleaned by the attacker. Mozilla immediately took steps to reduce the risk of future attacks on Bugzilla, the first being the forced introduction of two-factor authentication along with a password change for all users with access to security-sensitive data. On top of that, Mozilla announced that it would be reducing the number of privileged access users and reducing what they can actually do. In the words of Richard Barnes “we are making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in.” Which is where Netanel Rubin, senior vulnerability researcher at PerimeterX, came in asking the question whether Bugzilla was actually as secure as it should be. To cut a long story short, it wasn’t. Are you sitting comfortably? Good, then the long story can begin.