Opera Screeches at Mozilla Over Security Disclosure

The Register is reporting that Mozilla's handling of a recent security exploit that affected both browsers has drawn an unhappy response from the Opera team. "Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. [...] Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk."

Oh bitch, bitch, bitch!

[Enuratique]

Listen, would you rather they give you no advanced warning? Like chivalry, professional courtesy is all but dead these days. What are they supposed to do? Wait until you get your ass in gear to address the issue? Perhaps letting the weakness be known might actually give you the incentive to make it a top priority bug fix - which is good for everyone.

Sheesh...

[TripMaster+Monkey]

From TFA:

Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. "They did not wait for us to come back with an ETA for a fix: they kept their bug reports containing the details of the exploits closed to the public for a few days, and now opened most of them to everybody," Santambrogio writes.

I'm finding it a bit difficult to feel bad for Opera. Exactly how long does it take to "evaluate" a security issue, especially when someone else goes to the trouble of finding it in the first place, and then notifies you of the issue?

Opera had ample opportunity to roll out a fix...but they dragged their feet (as is their habit). This time, their habit got them burned. Perhaps next time they'll take a notification of a security issue more seriously.

Re:Sheesh...

[drinkypoo]

But allowing only one day is excessive. Can you track down and fix security problems in your software within one day of notification?

Now, wait a second. If I am developing software package "A", and you develop competing package "B", and I find a hole in A and fix it, then just for laughs test to see if your product has the same hole and then I am kind enough to let you know that it does, then I announce that there is a hole in A, how am I responsible for the security of B at all? I've done you a favor by performing the test and giving you a heads up in the first place! I don't owe you anything.

I think we all know already that disclosing the exploit is what brings the motivation to fix the hole. You haven't given a specific example of Opera needlessly hiding an exploit.

I'm not sure what you think that has to do with anything. The Mozilla foundation didn't even announce to the public that there was a hole in Opera. The announcement is that there is a hole in Firefox. Why not try reading the advisory? There is NOTHING in there about Opera's susceptibility. You can't even view the bug report without a Mozilla bugzilla account with the proper access - I just logged into my account, and that doesn't include me, so it's not like even the report is generally available. Also, as per the advisory:

These bugs are variations on earlier problems reported by Charles McAuley and Michal Zalewski which were fixed in Firefox 2.0.0.4, as well as an issue reported by hong which was fixed in Firefox 2.0.0.8.

So it seems as though the Opera team has had some warning about problems similar to these in the past - along with the rest of the world.

Could I find and fix a bug in one of my pieces of software in a day? Probably, because all of them are very simple. If I had a development team and a security response team (they do have one of those, don't they?) then I bet "I" could find and fix known security problems in larger software products in a day, too.

Actually, a number of security holes in the Linux kernel have been found, announced, and fixed on the same day, now that I think of it.

Streisand effect?

[Epsillon]

Seems if they'd kept their whiny mouths shut, nobody would have realised from the vulnerability disclosure that the issue affects Opera. Now EVERYONE knows, from the kiddie scripting 'sploits to the IT manager planning the software deployment for the next few months, who is now seeing why closed-source Opera isn't really such a great choice after all. Even the CVE entry doesn't disclose Opera's vulnerability to this bug. Still, it makes good comedy if nothing else...

Re:overreaction

[Fweeky]

I don't see how expressing dipleasure at something on a blog is an overreaction. "Screeching" is stretching it pretty fucking far, since it's basically saying what happened. Where in the blog entry is there screeching, perhaps the bold on "responsible", or maybe the ":("? Wouldn't it be better to link to the blog entry directly and not some dumb opinionated elreg article? Really, did you even read the original source before deciding "the developer needs a chill pill"?

At the end of the day, Mozilla would have acted better by keeping the exploits closed for a few more days, as they would hope anyone else would do for them. By not doing so, they upset people, and others expressing that upset is perfectly understandable. There's no mass outcry at Opera, no press release or open letter saying the Mozilla team are dicks, there's a few words saying what happened and a couple of emoticons on a developer blog entry.

Re:insightful??

[Epsillon]

They've had twelve days to fix it. Have they? If you RTFA, you'll see not only have they not, they've expended a greater amount of energy trying to whip up support for their malcontent with Mozilla. So, in reply, yes it does seem that they would rather cover this up than fix the issue in a timely manner. Their actions scream it, even if TFA doesn't.