Slashdot Mirror

← Back to Stories (view on slashdot.org)

Opera Screeches at Mozilla Over Security Disclosure

Posted by ScuttleMonkey on from the did-too-did-too dept.

The Register is reporting that Mozilla's handling of a recent security exploit that affected both browsers has drawn an unhappy response from the Opera team. "Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. [...] Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk."

1 of 208 comments (clear)

  1. Re:Sheesh... by drinkypoo · · Score: 5, Interesting

    But allowing only one day is excessive. Can you track down and fix security problems in your software within one day of notification?

    Now, wait a second. If I am developing software package "A", and you develop competing package "B", and I find a hole in A and fix it, then just for laughs test to see if your product has the same hole and then I am kind enough to let you know that it does, then I announce that there is a hole in A, how am I responsible for the security of B at all? I've done you a favor by performing the test and giving you a heads up in the first place! I don't owe you anything.

    I think we all know already that disclosing the exploit is what brings the motivation to fix the hole. You haven't given a specific example of Opera needlessly hiding an exploit.

    I'm not sure what you think that has to do with anything. The Mozilla foundation didn't even announce to the public that there was a hole in Opera. The announcement is that there is a hole in Firefox. Why not try reading the advisory? There is NOTHING in there about Opera's susceptibility. You can't even view the bug report without a Mozilla bugzilla account with the proper access - I just logged into my account, and that doesn't include me, so it's not like even the report is generally available. Also, as per the advisory:

    These bugs are variations on earlier problems reported by Charles McAuley and Michal Zalewski which were fixed in Firefox 2.0.0.4, as well as an issue reported by hong which was fixed in Firefox 2.0.0.8.

    So it seems as though the Opera team has had some warning about problems similar to these in the past - along with the rest of the world.

    Could I find and fix a bug in one of my pieces of software in a day? Probably, because all of them are very simple. If I had a development team and a security response team (they do have one of those, don't they?) then I bet "I" could find and fix known security problems in larger software products in a day, too.

    Actually, a number of security holes in the Linux kernel have been found, announced, and fixed on the same day, now that I think of it.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"