Slashdot Mirror
Opera Screeches at Mozilla Over Security Disclosure
The Register is reporting that Mozilla's handling of a recent security exploit that affected both browsers has drawn an unhappy response from the Opera team. "Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. [...] Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk."
At least Mozilla told them of the issue. I personally don't think it's their ultimate responsibility. Definitely obligated to do something... but imagine the kind of action Opera would have if Microsoft found the security flaw.
As far as I can tell, Firefox had a flaw, they fixed it and notified Opera that they had the same flaw the day before Firefox's fix was announced. Sounds to me like the only thing that Firefox did wrong was notice that it affected Opera at all, because if they hadn't Opera would have been left with egg on their face and nothing to bitch about.
While I do not know all of the details behind this I suspect that Mozilla did not have to notify Opera of any bug, in other words they did it as a heads up but were not obligated, I could be wrong though. The article is rather short and does not explain anything. For all I know Mozilla gave Opera the info as soon as they knew it, I highly doubt this, but just from the article it is hard to tell. While Mozilla could have waited, I would bet that people with malevolent intent are not overly concerned with the small Opera user base. I think that the over all the risk to the end user of the Opera browser is not much, and that the developer needs a chill pill. I know that Mozilla is not perfect, but I think that they had a good reason for releasing details about the problem. I do not know the reason, but knowing that there is a problem and that there is an update might make people more inclined to update to the safer version. So Opera fix the problem on your browser too, guess what you can look at Firefox's source code to see how the Mozilla developer's fixed theirs, and the developer with an pineapple stuck up somewhere needs to take a laxative or something.
Let's imagine that the Mozilla developers had modified the release notes for 2.0.0.12 so that it wasn't obvious what they'd fixed. Would that have been any better? Of course not. I can grab the code, diff against 2.0.0.11, take note of the changes, and presumably figure out why they were made. Now I can craft a working exploit against 2.0.0.11. After testing it on Firefox, what's the first thing I might try? How about... see if other browsers have the same problem?
So keeping in the fix but not mentioning it in the release notes is out. What, then... not patch the flaw? Yeah. Right.
Opera might be a nifty browser, but apparently its authors are whiny bitches.
-=rsw
I think we all know already that disclosing the exploit is what brings the motivation to fix the hole.
The fact that they hid the bug reports at all should be enough to make the Opera kids grateful. After all, the Mozilla foundation operates in a pretty open and transparent fashion. The most honest (and destructive) way to go would be to never hide the bug reports.
But just to cover that old ground once again; when code changes, diffs happen automatically, and people know just precisely what changed. You can be sure that some of those people are malicious hackers looking for new ways to screw us all; there's good money in it. So by hiding the details of the exploit, you make sure that only the more skillful and malicious hackers have the exploit. Does that sound like a good idea to you?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Exactly. Not only does this story bring to light the fact that there's a bug in Opera, but it illustrates how Opera prefers to handle security bugs: by covering them up.
Give me Classic Slashdot or give me death!
You know, looking at Mozilla's release, they didn't seem to mention anything to anybody about Opera having a problem too. Looks more like Opera screwed themselves.
But allowing only one day is excessive. Can you track down and fix security problems in your software within one day of notification?
I think we all know already that disclosing the exploit is what brings the motivation to fix the hole.
You haven't given a specific example of Opera needlessly hiding an exploit.
Unless for some reason they use the same engines, what's the problem with this practice? Opera's security isn't Firefox's responsibility. The fact that they notified opera at all went above and beyond what they needed to do, and asking firefox to be less open with their community is asking them to risk their image for the sake of opera and its users. Unless I'm missing something here, Firefox was being polite and Opera's throwing a world class hissy fit.
But never hiding bugs is silly. For example, if you provide an strace of ssh crashing, you'd want to mark that private at least.
Maybe, maybe not. You never know what the black hats already know; as a _user_ of ssh, if you disclose then I can take steps to limit damage--e.g. if I'm allowing full ssh access from outside my network (so that employees can work on the go), I may decide that the small benefit of doing so doesn't merit the risk. I'd rather turn off external ssh access for a few days until there's a fix.
When you hide the bug, you're hiding the ability for the users to take steps to protect themselves. You're forcing me to run with exposed systems for several days, and hoping that nobody "bad" knows about the bug. And you're making that judgement for your users rather than giving them the ability to make that call themselves; that's almost impossible given that the judgement might hinge heavily on whether I'm a large financial institute or a personal blog site that backs up daily. Just guessing that most users are happy with your security through obscurity is bound to be wrong in some cases, and those cases are likely to be some of the more financially significant ones.
(That's on top of the pressure to issue a real fix that full disclosure brings. Before things like BugTraq, it was common for people to sit on severe security bugs for literally _years_.)
rage, rage against the dying of the light
Somebody posting to Slashdot says that somebody at The Register says that an Opera blogger screeches about Mozilla. Even for Slashdot, this is a pretty weak title.
:) ), but not happy that there was only a day before it was made public. Nobody is particularly happy when they only have a day from learning there's a security hole to everybody else learning about it, thats not enough time to get a fix rolled out, so this is hardly surprising.
What they actually say is that they only had a day between notification and public disclosure. He's actually happy that Mozilla told them at all (hence the
I know Mozilla can do no wrong around here, but come on. Even the Mozilla devs would be happier getting more then one day before public disclosure of a security hole.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
The problem usually isnt coding time. It's organizational response and resource allocation issues.
For example, Opera is on a very differen timezone from the US, so initial publication may happen overnight from the POV of the Opera staff.
So then a day starts. When people start their day, they have a pile of things to respond to. The incoming messsages have to be triaged. Someone has to make a decision that this is important enough to escalate or take action on.
Then you have to find people with the capability to test whether its a real problem. This may take a couple hours. People go on vacation, get sick, etc.
Then you have to take the time to do the research, test whether this is a real problem, what versions it affects, etc. This takes a couple hours.
Then yuou have to stop a coder from working on something else, bring them up to speed on the problem (if its not the same person doing the testing), and get them started on the fix.
Then even with a fix you have to do regression tests. Not sure about Opera, but many mature apps have full test suites that can take a couple hours.
Then you have to write release notes, update the web page, do a new deploy package, and update your update servers to notify Opera that there is a new update.
As you can see, very little of the time here is coding.
Many large orgs have taken steps to create a 'short path of decision making' to streamline this process, always have one coder on call who can do this work, etc. But even then if anything is out of whack or the wrong person is sick or on vacation or on another urgent item, a whole day could pass without response.
Yeah, it's not like Firefox has any fanboys...
So I took a look at the last story about Firefox bugs. And guess what - you have people criticising the person for making the bug public in a way not helpful to the developers. And do I hear "crybaby"? No, instead it gets modded up to +4.
Central to the argument. Open source Firefox has to disclose the fix in order to fix it, closed-source Opera doesn't and the users could be unaware that anything even happened. Side note: Why is the real enemy IE? The enemy of my enemy is not always my friend.
Beware: In C++, your friends can see your privates!
I don't see why this is so funny. Opera's not that bad, and it does offer some things that aren't available by default in Firefox. Sure, it doesn't have the 400 extensions that FF does, but you don't have to screw around with it much. Opera has some really nifty features enabled OOTB that most people would overlook otherwise. It's also fast and it does a really good job with adhering to web standards.
Yours is really a flamebait comment, and if there were a considerable number of Opera users with moderation points out there, I'm sure they'd overlook objectivity and mod you down.
"You could almost look at defense of Microsoft as a form of the Stockholm syndrome." -neapolitan
Yep, it sucks to be big. If the person that found the exploit logs on to IRC and posts it, instead of mailing the authors of the code, how much time do you think they have before a new trojan or malicious attack websites are setup. I'd make a guess it's under an hour. As the application developer you have to take what you're given. Your enemy is not going to give you any quarter. They are not going to wait around for you to patch your apps and distribute them. The ball is in the blackhats hand, all you can hope to do is react fast enough.
>Opera Screeches at Mozilla Over Security Disclosure
Common, can we get article titles and summaries that don't *immediately* tell us about how we should feel about an article before even telling us the circumstances?
I mean, give me a break, this is a lower standard of reporting than even fox news uses. For *once* I'd like to see a slashdot editor try to be objective, and let the reader make up our own mind instead of trying to spoon feed us our opinions.
True... but, advertising a bugfix in one browser does mean that attackers will test the others to see if they're vunerable for the same thing. And it does happen - remember that there was a SSL vunerablity that both Konquerer and Internet Explorer fell foul of. Two very different code-bases!
There should be a standard protocol among significant web-browser vendors notifying each other of upcoming public annocements of vunerabilities. No more than, say two weeks notice (possibly less?) among each other to check for potential flaws. (One week should be enough for any browser that's not a one-man-band to at least do a 'are we vunerable?' investigation.)
So, Mozilla notify Opera they've discovered a flaw in Mozilla, gives Opera two weeks to check they're not vunerable to the same thing. If any siginifcant browser is, maybe give another two weeks for a patch to be devloped. Then the information becomes public.
Sure, MS might be lagging behind with their patch-tuesday, but hey.
Still, Opera's security track-record does exceed Mozilla's.
No one is suggesting that Mozilla should have delayed the fix (in order to hold back disclosure).
No, it would have been open and responsible and good if someone at Mozilla had thought to send an email to the Opera dev team a week or two ago saying:
Roses are red, violets are blueWe're fixing this exploit and think you should too.
Lots of Love,
Your secret big red monster Valentine.
No need to coordinate releases, but given that it took them a while to patch it, they should assume it'll take Opera a wee while to, and in the meantime they're leaving members of the public open to exploit.
Members of the public that used to use Firefox, but had to stop because Mozilla never fixed the memory leak and these users were using old machines (NT4, 32 meg RAM) and Open Source was supposed to mean never being obsolete, but it was only the non-open, free Opera browser that offered me a fully-patched, fully working browser.
HAL.
Got them moderator blues I blieve I walk out the do', With these mod-points I been gettin', I 'most never post no mo'