Slashdot Mirror
Opera Screeches at Mozilla Over Security Disclosure
The Register is reporting that Mozilla's handling of a recent security exploit that affected both browsers has drawn an unhappy response from the Opera team. "Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. [...] Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk."
At least Mozilla told them of the issue. I personally don't think it's their ultimate responsibility. Definitely obligated to do something... but imagine the kind of action Opera would have if Microsoft found the security flaw.
to fix the exploit wins!
:(){
Listen, would you rather they give you no advanced warning? Like chivalry, professional courtesy is all but dead these days. What are they supposed to do? Wait until you get your ass in gear to address the issue? Perhaps letting the weakness be known might actually give you the incentive to make it a top priority bug fix - which is good for everyone.
A black hole is where God divided by 0
I'm finding it a bit difficult to feel bad for Opera. Exactly how long does it take to "evaluate" a security issue, especially when someone else goes to the trouble of finding it in the first place, and then notifies you of the issue?
Opera had ample opportunity to roll out a fix...but they dragged their feet (as is their habit). This time, their habit got them burned. Perhaps next time they'll take a notification of a security issue more seriously.
____
~ |rip/\/\aster /\/\onkey
As far as I can tell, Firefox had a flaw, they fixed it and notified Opera that they had the same flaw the day before Firefox's fix was announced. Sounds to me like the only thing that Firefox did wrong was notice that it affected Opera at all, because if they hadn't Opera would have been left with egg on their face and nothing to bitch about.
While I do not know all of the details behind this I suspect that Mozilla did not have to notify Opera of any bug, in other words they did it as a heads up but were not obligated, I could be wrong though. The article is rather short and does not explain anything. For all I know Mozilla gave Opera the info as soon as they knew it, I highly doubt this, but just from the article it is hard to tell. While Mozilla could have waited, I would bet that people with malevolent intent are not overly concerned with the small Opera user base. I think that the over all the risk to the end user of the Opera browser is not much, and that the developer needs a chill pill. I know that Mozilla is not perfect, but I think that they had a good reason for releasing details about the problem. I do not know the reason, but knowing that there is a problem and that there is an update might make people more inclined to update to the safer version. So Opera fix the problem on your browser too, guess what you can look at Firefox's source code to see how the Mozilla developer's fixed theirs, and the developer with an pineapple stuck up somewhere needs to take a laxative or something.
>>>>> . It's the world's smallest violin...
Let's imagine that the Mozilla developers had modified the release notes for 2.0.0.12 so that it wasn't obvious what they'd fixed. Would that have been any better? Of course not. I can grab the code, diff against 2.0.0.11, take note of the changes, and presumably figure out why they were made. Now I can craft a working exploit against 2.0.0.11. After testing it on Firefox, what's the first thing I might try? How about... see if other browsers have the same problem?
So keeping in the fix but not mentioning it in the release notes is out. What, then... not patch the flaw? Yeah. Right.
Opera might be a nifty browser, but apparently its authors are whiny bitches.
-=rsw
As a Firefox user, I'd like to apologize to Opera users (both of you) for leaving you exposed.
Next time we'll just let you figure it out on your own.
Seems if they'd kept their whiny mouths shut, nobody would have realised from the vulnerability disclosure that the issue affects Opera. Now EVERYONE knows, from the kiddie scripting 'sploits to the IT manager planning the software deployment for the next few months, who is now seeing why closed-source Opera isn't really such a great choice after all. Even the CVE entry doesn't disclose Opera's vulnerability to this bug. Still, it makes good comedy if nothing else...
Resistance is futile. Reactance buggers it up.
it places Opera users at unnecessary risk
Yeah, both of them.
Best episode of Oprah ever!
Tsukasa: All I really want, is to be left alone...
Why is Mozilla obligated to wait and release an advisory because Opera couldn't get off their asses fast enough to respond to something. Also, opera users were already at risk and not just because of the advisory.
Offtopic: Did that opera guy ever swim from US to Norway? speak about obligations.
Whats the big deal. Just go fix it.
I know you don't have any people committed to different projects.
I know you have your code at a stable point so its easy to slip in a change
I know this only takes one guy 5 min to go change a few lines of code
I know its ready to ship the moment its changed
I know you coded it right and didn't break anything else
Remember this is open source. so you should be able to fix all security issues quickly. I bet someone else had already done it for you. Just ask someone for it.
Whats the point of being open source if you don't do what the community expects of you.
END RANT
OK, i bet the underlying issue is they expected to have a Little time. Emails went out to a few people that would look at and identify how big of an issue it was. Once they reported back, only the resources needed would be pulled off other projects to fix this.
The next day they see the advisory without warning and now they scramble to figure it out. Probably pulled a lot of people off other stuff that they didn't need to in order to rush out a minimally tested release.
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
I would say it places Opera users at unnecessary risk of becoming Firefox users :-)
Somebody posting to Slashdot says that somebody at The Register says that an Opera blogger screeches about Mozilla. Even for Slashdot, this is a pretty weak title.
:) ), but not happy that there was only a day before it was made public. Nobody is particularly happy when they only have a day from learning there's a security hole to everybody else learning about it, thats not enough time to get a fix rolled out, so this is hardly surprising.
What they actually say is that they only had a day between notification and public disclosure. He's actually happy that Mozilla told them at all (hence the
I know Mozilla can do no wrong around here, but come on. Even the Mozilla devs would be happier getting more then one day before public disclosure of a security hole.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
They've had twelve days to fix it. Have they? If you RTFA, you'll see not only have they not, they've expended a greater amount of energy trying to whip up support for their malcontent with Mozilla. So, in reply, yes it does seem that they would rather cover this up than fix the issue in a timely manner. Their actions scream it, even if TFA doesn't.
Resistance is futile. Reactance buggers it up.
The problem usually isnt coding time. It's organizational response and resource allocation issues.
For example, Opera is on a very differen timezone from the US, so initial publication may happen overnight from the POV of the Opera staff.
So then a day starts. When people start their day, they have a pile of things to respond to. The incoming messsages have to be triaged. Someone has to make a decision that this is important enough to escalate or take action on.
Then you have to find people with the capability to test whether its a real problem. This may take a couple hours. People go on vacation, get sick, etc.
Then you have to take the time to do the research, test whether this is a real problem, what versions it affects, etc. This takes a couple hours.
Then yuou have to stop a coder from working on something else, bring them up to speed on the problem (if its not the same person doing the testing), and get them started on the fix.
Then even with a fix you have to do regression tests. Not sure about Opera, but many mature apps have full test suites that can take a couple hours.
Then you have to write release notes, update the web page, do a new deploy package, and update your update servers to notify Opera that there is a new update.
As you can see, very little of the time here is coding.
Many large orgs have taken steps to create a 'short path of decision making' to streamline this process, always have one coder on call who can do this work, etc. But even then if anything is out of whack or the wrong person is sick or on vacation or on another urgent item, a whole day could pass without response.
Yeah, it's not like Firefox has any fanboys...
So I took a look at the last story about Firefox bugs. And guess what - you have people criticising the person for making the bug public in a way not helpful to the developers. And do I hear "crybaby"? No, instead it gets modded up to +4.
From TFA:
Opera was notified the day before the February 7 release - that would be February 6. Today is February 18. Is that not 12 days?
The whole point of this entire debacle is that Opera themselves disclosed this and, by complaining about full disclosure, showed their true colours when it comes to vulnerabilities in their flagship browser. Mozilla reported the vulnerability in a professional manner to a competitor to whom they owe nothing but felt ethically it was the right thing to do, then fixed their own product. Opera's actions in this matter show me quite clearly what they would have preferred to do but perhaps I'm just a raving zealot or a tin-foil hatter seeing conspiracies where none exist. There again, perhaps not. Feeling lucky? I hope you are, since you're betting, with apparently very little information, that Opera fixes the bugs in its software instead of simply sitting on reports from security experts trying to do the right thing. Security experts and competitors who may just think twice before submitting findings to Opera in the future.
[1] 94% of statistics are pulled from someone's behind. Suffice to say a significant portion of the web browsing public use Fx. My analog shows it to be much, much higher but my web server hosts predominantly open source software, so that's to be expected.
Resistance is futile. Reactance buggers it up.
Yep, it sucks to be big. If the person that found the exploit logs on to IRC and posts it, instead of mailing the authors of the code, how much time do you think they have before a new trojan or malicious attack websites are setup. I'd make a guess it's under an hour. As the application developer you have to take what you're given. Your enemy is not going to give you any quarter. They are not going to wait around for you to patch your apps and distribute them. The ball is in the blackhats hand, all you can hope to do is react fast enough.
>Opera Screeches at Mozilla Over Security Disclosure
Common, can we get article titles and summaries that don't *immediately* tell us about how we should feel about an article before even telling us the circumstances?
I mean, give me a break, this is a lower standard of reporting than even fox news uses. For *once* I'd like to see a slashdot editor try to be objective, and let the reader make up our own mind instead of trying to spoon feed us our opinions.
No one is suggesting that Mozilla should have delayed the fix (in order to hold back disclosure).
No, it would have been open and responsible and good if someone at Mozilla had thought to send an email to the Opera dev team a week or two ago saying:
Roses are red, violets are blueWe're fixing this exploit and think you should too.
Lots of Love,
Your secret big red monster Valentine.
No need to coordinate releases, but given that it took them a while to patch it, they should assume it'll take Opera a wee while to, and in the meantime they're leaving members of the public open to exploit.
Members of the public that used to use Firefox, but had to stop because Mozilla never fixed the memory leak and these users were using old machines (NT4, 32 meg RAM) and Open Source was supposed to mean never being obsolete, but it was only the non-open, free Opera browser that offered me a fully-patched, fully working browser.
HAL.
Got them moderator blues I blieve I walk out the do', With these mod-points I been gettin', I 'most never post no mo'
I call BS on Opera's complaint. I just read Mozilla's security advisory, and it makes no mention of Opera. So sorry- Mozilla checked and saw Opera was vulnerable to the same exploit and shot them a heads up to let them know about it. Mozilla has ZERO obligation to the Opera folks, so that was being nice. If their advisory had mentioned Opera, there would be something to complain about. As it stands, all Opera's complaint accomplished was advertising to the world that their browser was vulnerable and unpatched. Smart people indeed.