October 10, 2014 By Douglas Bonderud 2 min read

Tracking code bugs seems like a good practice for any company regardless of size or industry, and for the past 16 years, open-source offering Bugzilla has helped information technology (IT) professionals do exactly that. But on Sept. 30, researchers from Check Point Software Technologies found a Bugzilla flaw that lets users “masquerade their identity and register under an email address not in their control.” In some instances, the flaw will “automatically provide the user with certain elevated permissions, if these are given to groups defined by regex matching.” Although a patch has been released, it’s no surprise this bug is still giving users the creeps. If companies can’t trust the bug tracker, which app is the next one to get squashed?

Bugzilla Flaw Stings

Bugzilla is a popular program. According to InfoWorld, it is used by the Mozilla Foundation, the Apache Software Foundation, Linux kernel developers, OpenOffice, OpenSSH and GNOME, to name a few. Why? Because it’s a great way to track, record and analyze potential flaws in a system. Users can comment, brainstorm and develop ways to combat small problems before they become big issues. The Bugzilla flaw, however, gives unauthorized users access to entire “collections” of bugs amassed by companies, allowing them to view vulnerabilities that have never been public or delete bug entries altogether. What’s more, the flaw has been part of the program since 2006, meaning any company using the software must get it patched immediately.

Specifically, vulnerability CVE-2014-1572 is caused by a “perl-specific security problem” that occurs during assignment of the hash value. According to Bugzilla developer Gervase Markham, the flaw “allows an attacker to override values already in the hash (specified earlier), which may have already been validated, with values controlled by them.” Attackers using a fake email address such as “.*@mozilla.com” could gain access to all entries contributed by users under that global suffix. Although no breaches have been reported, there is a real potential for exploitation or, at the very least, compromised work on security patches if hackers edit or delete bug entries.

Of Bugs and Budgets

With vulnerabilities such as Heartbleed, Shellshock and now Bugzilla causing problems in 2014, it’s small wonder that CSO Online’s “Global State of Information Security Survey” found companies reporting a 48 percent increase in IT security incidents. What’s surprising, however, is that security budgets are down 4 percent this year — especially since the cost of a breach has gone up by 53 percent for large corporations. Where’s the disconnect?

Part of the problem stems from the seemingly random nature of this Bugzilla flaw and other recent breaches. While companies continue to use standard perimeter defense techniques and beef up cloud-based protection, these bugs emerge from years of dormancy to blow secure servers wide open. Therefore, it’s likely that businesses are losing faith in more traditional security techniques — in fact, the survey found that 64 percent of companies now integrate analytics as part of their security practice and 55 percent say they’ve detected more problems as a result.

Ultimately, the Bugzilla flaw teaches a harsh lesson: No code is truly safe. Security researchers are getting better at catching zero-day exploits in the early stages and then patching vulnerabilities, but for many companies, this doesn’t quite soothe the sting. As a result, security budgets are trending downward and enterprises are looking for new ways to identify malicious behaviors, detect possible flaws and develop systems designed to handle bugs rather than betting on a network-wide insecticide.

More from

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today