Slashdot Mirror
Opera Screeches at Mozilla Over Security Disclosure
The Register is reporting that Mozilla's handling of a recent security exploit that affected both browsers has drawn an unhappy response from the Opera team. "Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. [...] Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk."
At least Mozilla told them of the issue. I personally don't think it's their ultimate responsibility. Definitely obligated to do something... but imagine the kind of action Opera would have if Microsoft found the security flaw.
to fix the exploit wins!
:(){
Listen, would you rather they give you no advanced warning? Like chivalry, professional courtesy is all but dead these days. What are they supposed to do? Wait until you get your ass in gear to address the issue? Perhaps letting the weakness be known might actually give you the incentive to make it a top priority bug fix - which is good for everyone.
A black hole is where God divided by 0
I'm finding it a bit difficult to feel bad for Opera. Exactly how long does it take to "evaluate" a security issue, especially when someone else goes to the trouble of finding it in the first place, and then notifies you of the issue?
Opera had ample opportunity to roll out a fix...but they dragged their feet (as is their habit). This time, their habit got them burned. Perhaps next time they'll take a notification of a security issue more seriously.
____
~ |rip/\/\aster /\/\onkey
As far as I can tell, Firefox had a flaw, they fixed it and notified Opera that they had the same flaw the day before Firefox's fix was announced. Sounds to me like the only thing that Firefox did wrong was notice that it affected Opera at all, because if they hadn't Opera would have been left with egg on their face and nothing to bitch about.
While I do not know all of the details behind this I suspect that Mozilla did not have to notify Opera of any bug, in other words they did it as a heads up but were not obligated, I could be wrong though. The article is rather short and does not explain anything. For all I know Mozilla gave Opera the info as soon as they knew it, I highly doubt this, but just from the article it is hard to tell. While Mozilla could have waited, I would bet that people with malevolent intent are not overly concerned with the small Opera user base. I think that the over all the risk to the end user of the Opera browser is not much, and that the developer needs a chill pill. I know that Mozilla is not perfect, but I think that they had a good reason for releasing details about the problem. I do not know the reason, but knowing that there is a problem and that there is an update might make people more inclined to update to the safer version. So Opera fix the problem on your browser too, guess what you can look at Firefox's source code to see how the Mozilla developer's fixed theirs, and the developer with an pineapple stuck up somewhere needs to take a laxative or something.
>>>>> . It's the world's smallest violin...
Let's imagine that the Mozilla developers had modified the release notes for 2.0.0.12 so that it wasn't obvious what they'd fixed. Would that have been any better? Of course not. I can grab the code, diff against 2.0.0.11, take note of the changes, and presumably figure out why they were made. Now I can craft a working exploit against 2.0.0.11. After testing it on Firefox, what's the first thing I might try? How about... see if other browsers have the same problem?
So keeping in the fix but not mentioning it in the release notes is out. What, then... not patch the flaw? Yeah. Right.
Opera might be a nifty browser, but apparently its authors are whiny bitches.
-=rsw
As a Firefox user, I'd like to apologize to Opera users (both of you) for leaving you exposed.
Next time we'll just let you figure it out on your own.
Seems if they'd kept their whiny mouths shut, nobody would have realised from the vulnerability disclosure that the issue affects Opera. Now EVERYONE knows, from the kiddie scripting 'sploits to the IT manager planning the software deployment for the next few months, who is now seeing why closed-source Opera isn't really such a great choice after all. Even the CVE entry doesn't disclose Opera's vulnerability to this bug. Still, it makes good comedy if nothing else...
Resistance is futile. Reactance buggers it up.
Anyone else read the comments on the Opera blog? Pretty embarassing stuff.
:-/"
http://my.opera.com/desktopteam/blog/2008/02/14/9-26-coming-soon
"Well those Mozilla guys think that openness is the answer to everything.
"Mozilla never knows when to keep their mouths shut...
Of course, considering that there are active exploits for Firefox, it's safe to say that the malware authors already knew about this security vulnerability."
"I'm not surprised about the Mozilla Corporation. Maybe they pretend they never have security issues with their code? There are still security issues with Firefox and with *any* software developed by humans, so they should be more humble and responsible. They're not harming Opera Software ASA, they're putting the Opera users in jeopardy, this is not a good way to have them to use Firefox. This is evil, irresponsible and antiethical at the very least. Shame on Mozilla!"
"Nevermind, guys, let the Mozilla devs have more secure browser for at least few days (-;E"
it places Opera users at unnecessary risk
Yeah, both of them.
Best episode of Oprah ever!
Tsukasa: All I really want, is to be left alone...
what change is that? I haven't noticed anything.
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
Only on the series of tubes of the Interwebs does someone Piss and Whine when another person does them a favour.
I hereby declare Opera a whiny bizznatch.
Liberty.
Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk.
;)
In other words, it puts nobody at risk.
Why is Mozilla obligated to wait and release an advisory because Opera couldn't get off their asses fast enough to respond to something. Also, opera users were already at risk and not just because of the advisory.
Offtopic: Did that opera guy ever swim from US to Norway? speak about obligations.
Whats the big deal. Just go fix it.
I know you don't have any people committed to different projects.
I know you have your code at a stable point so its easy to slip in a change
I know this only takes one guy 5 min to go change a few lines of code
I know its ready to ship the moment its changed
I know you coded it right and didn't break anything else
Remember this is open source. so you should be able to fix all security issues quickly. I bet someone else had already done it for you. Just ask someone for it.
Whats the point of being open source if you don't do what the community expects of you.
END RANT
OK, i bet the underlying issue is they expected to have a Little time. Emails went out to a few people that would look at and identify how big of an issue it was. Once they reported back, only the resources needed would be pulled off other projects to fix this.
The next day they see the advisory without warning and now they scramble to figure it out. Probably pulled a lot of people off other stuff that they didn't need to in order to rush out a minimally tested release.
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
I would say it places Opera users at unnecessary risk of becoming Firefox users :-)
What I'm hoping is that a helpful Slashdot reader who actually patches security holes in widely-used software on the clock can opine as to the practicality of having a one day turnaround. Otherwise, the rest of us are just guessing about what is and isn't reasonable.
So, is having one day to evaluate and fix a security hole reasonable? And also, is having the source code open and available to others advantageous at all in meeting so short of a deadline?
Scream murder that he forgot to add the butter.
no offence, maybe opera overreacted, but where does it say opera covers up things? opera apparently expected to get a bit more time to fix the bug before mozilla disclosed it to the world... although it appears they didn't really say opera was also affected, so it's an overreaction but saying that they cover up things -_-. i think it's fairly normal not to spread around that there's a vulnurability until it's either fixed, or is obviously in the wild...
Here.
Everything that I've read on the topic of disclosure says wait at least a week. Hell, even some mail to the security focus lists have histories in them that go back a couple months! So, I can understand that Opera is rather pissed at the Mozilla people for not giving them ample time to respond. Quite frankly, I find the whole thing rather rude.
That being said, "Opera's" response wasn't exactly professional either. At least it should have been better worded and cited industry standard ways of working to solve an issue.
"We had another fight over the inflatable bath pillow. I kept screeching and screeching at him, but..."
-- Agnes Skinner, describing her latest fight with her son, Seymour
Somebody posting to Slashdot says that somebody at The Register says that an Opera blogger screeches about Mozilla. Even for Slashdot, this is a pretty weak title.
:) ), but not happy that there was only a day before it was made public. Nobody is particularly happy when they only have a day from learning there's a security hole to everybody else learning about it, thats not enough time to get a fix rolled out, so this is hardly surprising.
What they actually say is that they only had a day between notification and public disclosure. He's actually happy that Mozilla told them at all (hence the
I know Mozilla can do no wrong around here, but come on. Even the Mozilla devs would be happier getting more then one day before public disclosure of a security hole.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
I'm not sure if Opera lets you customize the UA string to whatever you like, but I find it best to add whatever string the page is looking for into my Firefox UA. For example, Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.12; .NET CLR 2.0.50727; not MSIE 6.0) Gecko/20080201 Firefox/2.0.0.12. The idea is that it gets you in without much trouble, while still letting the site know that you prefer a different browser and they should fix their site (or browser detection). Wouldn't it be great if every poorly coded site out there realized they were blocking browsers that worked just fine and fixed their code to allow them? Maybe the CVS site is done by a parent company which also does the sites for their other companies - pointing out the mistake on one site might lead to several sites getting fixed. The end result is simply more sites that "just work" which results in less time spent making 15 different versions of a website so that it works in all browsers, and more time spent making the website functional.
I agree with the opera dudes, avoiding users to find out about the browser's security issues is their business model after all...
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
>Opera Screeches at Mozilla Over Security Disclosure
Common, can we get article titles and summaries that don't *immediately* tell us about how we should feel about an article before even telling us the circumstances?
I mean, give me a break, this is a lower standard of reporting than even fox news uses. For *once* I'd like to see a slashdot editor try to be objective, and let the reader make up our own mind instead of trying to spoon feed us our opinions.
Considering the bug is also in Firefox doesn't your ridiculous caricature also apply to them? And yeah, it's so easy to write code that doesn't have a single bug in it. Examples of huge apps with zero bugs ever found are:
End of list.
I consider Safari on the iPhone/iPod Touch to be a damn good browser for a portable, smart phone, PDA, etc.
- I don't need to go outside, my CRT tan'll do me just fine.
Yes it does.
Desktop application code, you must admit, is is pretty crappy these days... when it comes to security. Name one desktop application that hasn't had MULTIPLE security patches in the last year.
Most security experts also agree that this "patching everything and then patching it again" is killing the real gains found (monetary) by utilizing the technology in the first place. At some point if it was written badly enough to need continuous patching, the support staff required to keep up with patching, internal certification/testing, etc... grows exponentially beyond what most organizations gained by switching to using computers for certain tasks in the first place.
There *are* examples of how to code nearly flawlessly, and procedures around that. They're usually found behind the closed doors of military and defense systems contractors, so they're not publicized much. Same thing for MOST embedded systems where lives are on the line, including transportation systems, satellites, etc.
The software quality in those systems is arguably quite a bit higher than the typical software in the "desktop" computing world, but one could argue that with MORE of us using the desktop environment software for day-to-day life these days, the risks and disadvantages of not treating such software as "mission critical" as embedded systems, is a huge oversight or omission on the part of the "software industry".
How many of us use web browsers (ESPECIALLY WEB BROWSERS) for online banking, command and control of multi-million-dollar systems, and just about everything these days? Isn't a browser then more important to treat the code as if it MUST BE RIGHT THE FIRST TIME (even if it isn't), than just about any other utility piece of software, or any embedded control system?
Zero-bugs may not be possible, but the current number of bugs is far beyond what the industry can bear, long-term. It's simple financials... if desktop computing and the server hardware and add-on software (virus scanners, malware scanners, etc etc etc... and the never-ending treadmill of additional hardware requirements to run all the SCANNERS) continue up in price for organizations, IT is on a never-ending downward spiral that won't stop until computers are locked back down to bare minimum job-handling capability... a dumb terminal...
In fact, systems that never left the dumb terminal environment, have done well throughout the years. Only fairly recently were airline reservations moved from the so-called "archaic" mainframe-based systems and command-line/text-only interfaces, to something slightly more modern. Ever wonder why?
I get the distinct impression that most "desktop application coders" either don't have or don't want the discipline necessary to produce quality software similar to the embedded and life-critical systems mentioned above... even if they could. They would rather whine and make excuses about "find me some bug-free code".
How about we find them some MUCH better quality code, and show them some techniques for writing code like THAT and not the cruddy mess we currently have for "security" on the desktop/utility computing environment?
They act like ANY level of bugs is "acceptable" but that PROVING they're making continuous improvement in LOWERING the number of bugs is too inconvenient. Then you add in the love affair with changing the underlying tools, languages, and IDE's, and it's amazing anyone ever gets anything done, but not a surprise that there's NO MEASURABLE IMPROVEMENT in the number or quality of bugs in almost three decades of popular computing.
It's a machine -- it only does what it's told to. If the software's too complex to debug it correctly, someone made it so. Those "someones" have either been working in the field for that same 30 years, or have been managing the new people incorrectly, and not requiring code re-use and standards to avoid the mistakes they made 20 years ago, when they were coding.
Have the bugs gotten smaller? Nope. Less frequent? Nope. In fact there's bigger holes found every day, and more of them. The code monkeys need to stop, and THINK, and ENGINEER their next solutions.
+++OK ATH
s/bitch/developers/g
Take life easy: one bit at a time.
No one is suggesting that Mozilla should have delayed the fix (in order to hold back disclosure).
No, it would have been open and responsible and good if someone at Mozilla had thought to send an email to the Opera dev team a week or two ago saying:
Roses are red, violets are blueWe're fixing this exploit and think you should too.
Lots of Love,
Your secret big red monster Valentine.
No need to coordinate releases, but given that it took them a while to patch it, they should assume it'll take Opera a wee while to, and in the meantime they're leaving members of the public open to exploit.
Members of the public that used to use Firefox, but had to stop because Mozilla never fixed the memory leak and these users were using old machines (NT4, 32 meg RAM) and Open Source was supposed to mean never being obsolete, but it was only the non-open, free Opera browser that offered me a fully-patched, fully working browser.
HAL.
Got them moderator blues I blieve I walk out the do', With these mod-points I been gettin', I 'most never post no mo'
Why are you people being a bunch of bitches? Mozilla gave Opera ONE day to patch it. That's not enough time to unleash a bug on opera and have it patched, but meanwhile Mozilla waited more than a day to evaluate the issue for themselves. And you think dumping bugs on opera is a favor? Then maybe mozilla should have unleashed this news immediately on themselves too. But they didn't, so I guess you're wrong about incentives.
I call BS on Opera's complaint. I just read Mozilla's security advisory, and it makes no mention of Opera. So sorry- Mozilla checked and saw Opera was vulnerable to the same exploit and shot them a heads up to let them know about it. Mozilla has ZERO obligation to the Opera folks, so that was being nice. If their advisory had mentioned Opera, there would be something to complain about. As it stands, all Opera's complaint accomplished was advertising to the world that their browser was vulnerable and unpatched. Smart people indeed.
So if Microsoft has a similar bug in IE, the Mozilla team are supposed to not disclose a bug in _Mozilla_ till Microsoft fixes IE?
The bug is similar to previous bugs, so
1) Opera should have fixed it before.
2) There's not really that much time before someone else figures it out anyway.
Maybe Opera and Mozilla should sandbox their browsers by default. Then this problem will just be "upload arbitrary files in the Uploads Directory" (assuming the attacker knows the full path).
Similarly other browser exploits would then only be able to touch stuff inside the sandbox, and wouldn't be able to mess with the user's documents, or turn on the microphone/webcam etc.
Once that happens then hackers might have to start looking for more stuff like the kernel vmsplice bug.
I would guess that Mozilla only became aware that the bug also applied to Opera in the later stages of testing - hence the late notice. It's not like Mozilla regularly checks non-mozilla browsers for exploits now, is it?
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
But a browser can be coded to NOT respond to things that it isn't intended to receive.
Your argument is invalid.
If you can't predict what you'll be served, you DEFINE what you will RESPOND to, and you don't respond or do ANYTHING with inappropriate input.
Basic programming 101 course material there, man.
+++OK ATH
A browser is intended to receive just about anything, that's the problem.