I'm betting on insider access. Microsoft had to lock down internal access to their security bugs when some employees were selling the bugs on the black market.
For what it's worth, Mozilla locks down internal access to security bugs too. I can't see those bugs, which is exactly how it should be, as I have no need to know.
Do you have a source for that? Google's not giving me anything. I'd definitely like to know more - I can't help but wonder how widespread that kind of behavior is.
I think they're asking for a source on the specific claim about Microsoft employees selling bugs on the black market, which is what I would also like to see.
I don't need to be convinced that security bugs should be on a need-to-know basis during the responsible disclosure period, that seems obviously prudent. Anyone not working specifically on security can learn about the details at the same time as the wider public.
Really, that Mozilla would let a reported RCE vulnerability simmer for two months until it bit someone would seem to reflect very poorly on their priorities and competence. Can anyone postmortem why it took so long now that it's fixed?
Firefox likes to bundle security fixes into .0 releases. 67.0 was released May 21 (and went to nightly/beta whatever May 13) and 68.0 won't be released for a few more weeks.
Is there a good reason for this? I would think that a security issue should be addressed and patched into user's computers as soon as possible, especially something like RCE.
Security fixes carry the usual risk of regressions (even more than the average bug, when the fix limits something that used to "work"). Therefore they need just as much bake time as other kinds of changes.
Also, shipping security fixes in stand-alone updates makes it much easier for attackers to identify security-critical changes (especially if they have access to source code, which they do for Firefox) and reverse-engineer the flaw. Firefox developers often land critical fixes with somewhat obscured commit messages to increase the work required by attackers to identify the critical security fixes in the torrent of commits that go into each regular release.
Obviously this only makes sense while the bug is believed to be unknown to attackers. If Mozilla believes the bug is being exploited, they can and do issue an emergency update.
> Firefox developers often land critical fixes with somewhat obscured commit messages to increase the work required by attackers to identify the critical security fixes in the torrent of commits that go into each regular release.
Wow, that's fascinating. Do you have any interesting reads to point to in this regard?
I’m confused what do you mean? Fixing security vulns can often times lead to regressions since overtime users become dependent on a behavior that relies on a insecure behavior.
> How did a privately reported zero-day leak from Bugzilla into an attacker's arsenal?
This was a VERY valuable bug. I mean, it's sad to think about but the most likely scenario is that someone with access to the report at Mozilla or Google (or maybe elsewhere if it was shared more widely) called a friend of a friend of a friend and... sold it.
Moreover, people are bad at keeping secrets. Social engineering is clearly a thing, even among infosec circles.
Sometimes all it takes is being in the right bar and having a good ear.
I mentioned the possibility of an untrustworthy person gaining access to bugzilla yesterday but it seems that most people disagreed with it: https://news.ycombinator.com/item?id=20221397
Also, why did it take 2 months to fix an RCE? It's an RCE, not some XSS. I'd imagine this would be a high-priority. No?