Toshiba loses $460m; Bugzilla breached, Firefox hacked; BlackBerry drops $610m on Good

An attacker has successfully broken into a secure area of Mozilla’s Bugzilla bug-tracking tool, stolen information on vulnerabilities in the company’s Firefox web browser and exploited at least one of those vulnerabilities.

Mozilla revealed the occurrence of the breach late last week on its company security blog. The entry was penned by Richard Barnes, whose LinkedIn page lists him as Firefox Security Lead at Mozilla.

While much of the information housed in Bugzilla is available to the public, Barnes explained, security-sensitive information is accessible only to certain privileged users.

“[W]e are disclosing today that someone was able to steal security-sensitive information from Bugzilla. We believe they used that information to attack Firefox users,” Barnes wrote. “We believe that the attacker used information from Bugzilla to exploit the vulnerability we patched on August 6.”

The company provided an FAQ list with more details on the attack. The list elaborated: “The largest known impact on users is through the vulnerability we fixed on August 6th. We know that an attack exploiting that vulnerability was used to collect private data from Firefox users visiting a news site in Russia. There is no indication that any of the other bugs the attacker accessed have been exploited.”

Barnes said the version of Firefox released on 27 August fixed all the vulnerabilities that the attacker learned about and could have used to harm Firefox users.

According to the FAQ, the attacker obtained the Bugzilla password for an existing user who could access the security-sensitive information on the site. A Mozilla investigation suggested the Bugzilla user had used the same password for an account on another website, and the password was revealed through a data breach at that site.

Logs indicated that the attacker accessed 185 bugs that were not publicly available. 22 of these were “Minor security issues”, while 53 were “Severe vulnerabilities”.

Of those 53 severe vulnerabilities, “43 had already been fixed in the released version of Firefox at the time the attacker found out about them. The information in those bugs likely could not have been used to attack Firefox users,” the FAQ said.

For each bug, there was a ‘vulnerability window’ that extended from when the attacker accessed the bug’s details to when the bug was fixed in Firefox.

“It is technically possible that any of these bugs could have been used to attack Firefox users in the vulnerability window. One of the bugs open less than 36 days was used for an attack using a vulnerability that was patched on August 6, 2015. Other than that attack, however, we do not have any data indicating that other bugs were exploited,” the FAQ said.

Blackberry buys Good Technology

BlackBerry last week announced that it has entered into a definitive agreement to acquire mobile security company Good Technology for US$425 million (approximately $610 million at the time of announcement).

BlackBerry said the acquisition will expand its “ability to offer cross-platform EMM [enterprise mobility management] solutions”.

“By acquiring Good, BlackBerry will better solve one of the biggest struggles for CIOs today, especially those in regulated industries: securely managing devices across any platform. By providing even stronger cross-platform capabilities, our customers will not have to compromise on their choice of operating systems, deployment models or any level of privacy and security,” said John Chen, BlackBerry executive chairman and CEO.

BlackBerry said it expects the acquisition to be completed by the end of its 2016 fiscal third quarter — which is around the end of November this year.

Toshiba’s $460 million loss

Electronics manufacturer Toshiba has revealed that it will book an annual loss of $460.1 million to account for a profit-padding scandal, according to Sky News.

The annual results follow earlier revelations that top executives at the company pressured staff to inflate profits by around US$1.2 billion since 2008, Sky reported.

According to the WSJ, Toshiba said earlier this week it was taking steps to avoid a repeat of the scandal.

“I am strongly feeling the social responsibility of alarming and causing trouble to our 400,000 shareholders, including domestic and international investors, as well as our clients and the authorities concerned,” Toshiba president Masashi Muromachi was quoted as saying. “We will devote ourselves wholeheartedly to regain your trust and revive Toshiba under the new management.”

Image courtesy DigitPedia Gadgets under CC