Slashdot Mirror
Opera Screeches at Mozilla Over Security Disclosure
The Register is reporting that Mozilla's handling of a recent security exploit that affected both browsers has drawn an unhappy response from the Opera team. "Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. [...] Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk."
At least Mozilla told them of the issue. I personally don't think it's their ultimate responsibility. Definitely obligated to do something... but imagine the kind of action Opera would have if Microsoft found the security flaw.
to fix the exploit wins!
:(){
Listen, would you rather they give you no advanced warning? Like chivalry, professional courtesy is all but dead these days. What are they supposed to do? Wait until you get your ass in gear to address the issue? Perhaps letting the weakness be known might actually give you the incentive to make it a top priority bug fix - which is good for everyone.
A black hole is where God divided by 0
I'm finding it a bit difficult to feel bad for Opera. Exactly how long does it take to "evaluate" a security issue, especially when someone else goes to the trouble of finding it in the first place, and then notifies you of the issue?
Opera had ample opportunity to roll out a fix...but they dragged their feet (as is their habit). This time, their habit got them burned. Perhaps next time they'll take a notification of a security issue more seriously.
____
~ |rip/\/\aster /\/\onkey
As far as I can tell, Firefox had a flaw, they fixed it and notified Opera that they had the same flaw the day before Firefox's fix was announced. Sounds to me like the only thing that Firefox did wrong was notice that it affected Opera at all, because if they hadn't Opera would have been left with egg on their face and nothing to bitch about.
While I do not know all of the details behind this I suspect that Mozilla did not have to notify Opera of any bug, in other words they did it as a heads up but were not obligated, I could be wrong though. The article is rather short and does not explain anything. For all I know Mozilla gave Opera the info as soon as they knew it, I highly doubt this, but just from the article it is hard to tell. While Mozilla could have waited, I would bet that people with malevolent intent are not overly concerned with the small Opera user base. I think that the over all the risk to the end user of the Opera browser is not much, and that the developer needs a chill pill. I know that Mozilla is not perfect, but I think that they had a good reason for releasing details about the problem. I do not know the reason, but knowing that there is a problem and that there is an update might make people more inclined to update to the safer version. So Opera fix the problem on your browser too, guess what you can look at Firefox's source code to see how the Mozilla developer's fixed theirs, and the developer with an pineapple stuck up somewhere needs to take a laxative or something.
>>>>> . It's the world's smallest violin...
Let's imagine that the Mozilla developers had modified the release notes for 2.0.0.12 so that it wasn't obvious what they'd fixed. Would that have been any better? Of course not. I can grab the code, diff against 2.0.0.11, take note of the changes, and presumably figure out why they were made. Now I can craft a working exploit against 2.0.0.11. After testing it on Firefox, what's the first thing I might try? How about... see if other browsers have the same problem?
So keeping in the fix but not mentioning it in the release notes is out. What, then... not patch the flaw? Yeah. Right.
Opera might be a nifty browser, but apparently its authors are whiny bitches.
-=rsw
As a Firefox user, I'd like to apologize to Opera users (both of you) for leaving you exposed.
Next time we'll just let you figure it out on your own.
There's like 3 guys in the office closet that use opera. Who cares anymore? IE rules the online world with an iron fist.
Seems if they'd kept their whiny mouths shut, nobody would have realised from the vulnerability disclosure that the issue affects Opera. Now EVERYONE knows, from the kiddie scripting 'sploits to the IT manager planning the software deployment for the next few months, who is now seeing why closed-source Opera isn't really such a great choice after all. Even the CVE entry doesn't disclose Opera's vulnerability to this bug. Still, it makes good comedy if nothing else...
Resistance is futile. Reactance buggers it up.
Anyone else read the comments on the Opera blog? Pretty embarassing stuff.
:-/"
http://my.opera.com/desktopteam/blog/2008/02/14/9-26-coming-soon
"Well those Mozilla guys think that openness is the answer to everything.
"Mozilla never knows when to keep their mouths shut...
Of course, considering that there are active exploits for Firefox, it's safe to say that the malware authors already knew about this security vulnerability."
"I'm not surprised about the Mozilla Corporation. Maybe they pretend they never have security issues with their code? There are still security issues with Firefox and with *any* software developed by humans, so they should be more humble and responsible. They're not harming Opera Software ASA, they're putting the Opera users in jeopardy, this is not a good way to have them to use Firefox. This is evil, irresponsible and antiethical at the very least. Shame on Mozilla!"
"Nevermind, guys, let the Mozilla devs have more secure browser for at least few days (-;E"
it places Opera users at unnecessary risk
Yeah, both of them.
Best episode of Oprah ever!
Tsukasa: All I really want, is to be left alone...
what change is that? I haven't noticed anything.
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
Only on the series of tubes of the Interwebs does someone Piss and Whine when another person does them a favour.
I hereby declare Opera a whiny bizznatch.
Liberty.
Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk.
;)
In other words, it puts nobody at risk.
Why is Mozilla obligated to wait and release an advisory because Opera couldn't get off their asses fast enough to respond to something. Also, opera users were already at risk and not just because of the advisory.
Offtopic: Did that opera guy ever swim from US to Norway? speak about obligations.
Whats the big deal. Just go fix it.
I know you don't have any people committed to different projects.
I know you have your code at a stable point so its easy to slip in a change
I know this only takes one guy 5 min to go change a few lines of code
I know its ready to ship the moment its changed
I know you coded it right and didn't break anything else
Remember this is open source. so you should be able to fix all security issues quickly. I bet someone else had already done it for you. Just ask someone for it.
Whats the point of being open source if you don't do what the community expects of you.
END RANT
OK, i bet the underlying issue is they expected to have a Little time. Emails went out to a few people that would look at and identify how big of an issue it was. Once they reported back, only the resources needed would be pulled off other projects to fix this.
The next day they see the advisory without warning and now they scramble to figure it out. Probably pulled a lot of people off other stuff that they didn't need to in order to rush out a minimally tested release.
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
I would say it places Opera users at unnecessary risk of becoming Firefox users :-)
What I'm hoping is that a helpful Slashdot reader who actually patches security holes in widely-used software on the clock can opine as to the practicality of having a one day turnaround. Otherwise, the rest of us are just guessing about what is and isn't reasonable.
So, is having one day to evaluate and fix a security hole reasonable? And also, is having the source code open and available to others advantageous at all in meeting so short of a deadline?
Scream murder that he forgot to add the butter.
no offence, maybe opera overreacted, but where does it say opera covers up things? opera apparently expected to get a bit more time to fix the bug before mozilla disclosed it to the world... although it appears they didn't really say opera was also affected, so it's an overreaction but saying that they cover up things -_-. i think it's fairly normal not to spread around that there's a vulnurability until it's either fixed, or is obviously in the wild...
Here.
Everything that I've read on the topic of disclosure says wait at least a week. Hell, even some mail to the security focus lists have histories in them that go back a couple months! So, I can understand that Opera is rather pissed at the Mozilla people for not giving them ample time to respond. Quite frankly, I find the whole thing rather rude.
That being said, "Opera's" response wasn't exactly professional either. At least it should have been better worded and cited industry standard ways of working to solve an issue.
"We had another fight over the inflatable bath pillow. I kept screeching and screeching at him, but..."
-- Agnes Skinner, describing her latest fight with her son, Seymour
Somebody posting to Slashdot says that somebody at The Register says that an Opera blogger screeches about Mozilla. Even for Slashdot, this is a pretty weak title.
:) ), but not happy that there was only a day before it was made public. Nobody is particularly happy when they only have a day from learning there's a security hole to everybody else learning about it, thats not enough time to get a fix rolled out, so this is hardly surprising.
What they actually say is that they only had a day between notification and public disclosure. He's actually happy that Mozilla told them at all (hence the
I know Mozilla can do no wrong around here, but come on. Even the Mozilla devs would be happier getting more then one day before public disclosure of a security hole.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
I'm not sure if Opera lets you customize the UA string to whatever you like, but I find it best to add whatever string the page is looking for into my Firefox UA. For example, Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.12; .NET CLR 2.0.50727; not MSIE 6.0) Gecko/20080201 Firefox/2.0.0.12. The idea is that it gets you in without much trouble, while still letting the site know that you prefer a different browser and they should fix their site (or browser detection). Wouldn't it be great if every poorly coded site out there realized they were blocking browsers that worked just fine and fixed their code to allow them? Maybe the CVS site is done by a parent company which also does the sites for their other companies - pointing out the mistake on one site might lead to several sites getting fixed. The end result is simply more sites that "just work" which results in less time spent making 15 different versions of a website so that it works in all browsers, and more time spent making the website functional.
I'm sorry, they shouldn't have had any time at all to respond. Next time, publish it as soon as you've got working exploit code. Oh, and make a nice GUI exploit for the skiddies.
At the risk of offending Opera users and gay people I'd have to say that Opera is gay. Also, Mozilla has the giant lizard monster. What does Opera have? A big letter 'O'. And maybe some dried fish. And Norway? You can't get there from here.
Now wash your hands.
And both of them are rightfully outraged!
Exploit is known since November 2007:
http://www.0x000000.com/?i=479
Opera guys complain for nothing, Mozilla doesn't even mention Opera (Safari seems to have the same bug).
Klingon Opera screeches more than a bunch of Norwegians ever could.
I agree with the opera dudes, avoiding users to find out about the browser's security issues is their business model after all...
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
>Opera Screeches at Mozilla Over Security Disclosure
Common, can we get article titles and summaries that don't *immediately* tell us about how we should feel about an article before even telling us the circumstances?
I mean, give me a break, this is a lower standard of reporting than even fox news uses. For *once* I'd like to see a slashdot editor try to be objective, and let the reader make up our own mind instead of trying to spoon feed us our opinions.
The wrote the crap code (or borrowed it from somewhere else) in the first place.
Whhhaaaaah... I released GARBAGE with security holes in it and someone else didn't tell me before they released their fix!
Is about what all this amounts to.
STOP WRITING CRAPPY INSECURE CODE, REFUSING TO TEST IT, AND NOT BUILDING TO ANY TYPE OF SAFETY STANDARDS - GROW UP AND BE REAL ENGINEERS... and the problem solves itself.
+++OK ATH
I consider Safari on the iPhone/iPod Touch to be a damn good browser for a portable, smart phone, PDA, etc.
- I don't need to go outside, my CRT tan'll do me just fine.
s/bitch/developers/g
Take life easy: one bit at a time.
Opera should be open source, I laugh at any *security* claims made by developers of closed source products. Open the source and let us decide the degree of security for ourselves with facts we can see and help you make a better product.
Thank you
No one is suggesting that Mozilla should have delayed the fix (in order to hold back disclosure).
No, it would have been open and responsible and good if someone at Mozilla had thought to send an email to the Opera dev team a week or two ago saying:
Roses are red, violets are blueWe're fixing this exploit and think you should too.
Lots of Love,
Your secret big red monster Valentine.
No need to coordinate releases, but given that it took them a while to patch it, they should assume it'll take Opera a wee while to, and in the meantime they're leaving members of the public open to exploit.
Members of the public that used to use Firefox, but had to stop because Mozilla never fixed the memory leak and these users were using old machines (NT4, 32 meg RAM) and Open Source was supposed to mean never being obsolete, but it was only the non-open, free Opera browser that offered me a fully-patched, fully working browser.
HAL.
Got them moderator blues I blieve I walk out the do', With these mod-points I been gettin', I 'most never post no mo'
Why are you people being a bunch of bitches? Mozilla gave Opera ONE day to patch it. That's not enough time to unleash a bug on opera and have it patched, but meanwhile Mozilla waited more than a day to evaluate the issue for themselves. And you think dumping bugs on opera is a favor? Then maybe mozilla should have unleashed this news immediately on themselves too. But they didn't, so I guess you're wrong about incentives.
Opera may want to worry about some of this stuff before whining about something new.
I call BS on Opera's complaint. I just read Mozilla's security advisory, and it makes no mention of Opera. So sorry- Mozilla checked and saw Opera was vulnerable to the same exploit and shot them a heads up to let them know about it. Mozilla has ZERO obligation to the Opera folks, so that was being nice. If their advisory had mentioned Opera, there would be something to complain about. As it stands, all Opera's complaint accomplished was advertising to the world that their browser was vulnerable and unpatched. Smart people indeed.
So if Microsoft has a similar bug in IE, the Mozilla team are supposed to not disclose a bug in _Mozilla_ till Microsoft fixes IE?
The bug is similar to previous bugs, so
1) Opera should have fixed it before.
2) There's not really that much time before someone else figures it out anyway.
Maybe Opera and Mozilla should sandbox their browsers by default. Then this problem will just be "upload arbitrary files in the Uploads Directory" (assuming the attacker knows the full path).
Similarly other browser exploits would then only be able to touch stuff inside the sandbox, and wouldn't be able to mess with the user's documents, or turn on the microphone/webcam etc.
Once that happens then hackers might have to start looking for more stuff like the kernel vmsplice bug.
You realize, of course, that the security tracker list to which you linked is made up entirely of fixed vulnerabilities?
I wish you would shut the fuck up about this already. It's open source; publishing a fix is is disclosing the vulnerability.
I would guess that Mozilla only became aware that the bug also applied to Opera in the later stages of testing - hence the late notice. It's not like Mozilla regularly checks non-mozilla browsers for exploits now, is it?
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1