Slashdot Mirror

← Back to Stories (view on slashdot.org)

Opera Screeches at Mozilla Over Security Disclosure

Posted by ScuttleMonkey on from the did-too-did-too dept.

The Register is reporting that Mozilla's handling of a recent security exploit that affected both browsers has drawn an unhappy response from the Opera team. "Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. [...] Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk."

15 of 208 comments (clear)

  1. All Things Considered... by neonmonk · · Score: 5, Insightful

    At least Mozilla told them of the issue. I personally don't think it's their ultimate responsibility. Definitely obligated to do something... but imagine the kind of action Opera would have if Microsoft found the security flaw.

    1. Re:All Things Considered... by allcar · · Score: 5, Insightful

      I agree that they probably fulfilled their minimum obligation, but it would be great to see a much higher degree of co-operation between the vendors of minority browsers. By all means attack MS in this way, but play nice amongst the good guys.

    2. Re:All Things Considered... by moderatorrater · · Score: 5, Insightful

      I don't see it as an attack. It sounds like Opera didn't respond to Mozilla's notification at all. In addition, it's not Mozilla's obligation to make sure that Opera's secure, and it is their obligation to be open with the community to the extent that they can be while still being secure. Sometimes waiting to disclose can bite you in the end like it did with php a few months back. Add to that the bullshit excuse that you can't evaluate a security risk in one day and I think that Opera's just lashing out because they're embarrassed that they have a security flaw.

    3. Re:All Things Considered... by pthisis · · Score: 5, Insightful

      I agree that they probably fulfilled their minimum obligation, but it would be great to see a much higher degree of co-operation between the vendors of minority browsers. By all means attack MS in this way, but play nice amongst the good guys.

      Full public disclosure of security bugs is generally considered the best way to get rapid fixes, and was the entire reason that places like BugTraq were founded. Following standard protocol is not an "attack". Vendors like to assume that you're just maliciously publishing things that would be no problem for their users until you did so. That's untrue.

      Many bugs are well-known by black hats before they are found by the good guys. The safest thing for users is to assume that all severe bugs are well-known by the bad guys; when you disclose publically, you give the users a chance to protect themselves even if the software is not yet fixed. I'm not sure of the details of this exploit, but they may be able to protect themselves by limiting their surfing to well-known trusted sites, using an alternate browser, or turning off javascript or whatever. In other cases, some sort of external wrapper or proxy, tighter firewall rules, limiting access to DMZs, or other external steps can help prevent big security problems even without a full vendor fix available yet. It may even be worth it to some users just to forgo using an application for a few days until it's fixed.

      Keeping silent until the vendor fixes things might just hurt the user's security situation, and certainly doesn't give the user the option of evaluating the risk and determining whether it's worth ignoring it or not--it forces them to make their usage decision without good information.

      --
      rage, rage against the dying of the light
    4. Re:All Things Considered... by nigelo · · Score: 5, Insightful

      Am I missing something?

      The problem was reported in November and fixed in early February.

      Clearly, this is longer than one day.
      Following the links in other posts to the mozilla issue tracking, it apparently took a while to fix.

      The Opera guys would have liked a little more heads-up than one day, that's all, and that doesn't seem unreasonable to me.

      Why all the high-and-mighty whining about 'if they really cared they would have fixed it'?

      --
      *Still* negative function...
  2. First... by hsdpa · · Score: 5, Funny

    to fix the exploit wins!

    --
    :(){ :|:& }:;
  3. Re:I must be missing something here... by Jester998 · · Score: 5, Funny

    Clearly, the Mozilla team should be performing full regression testing on every bug they fix against every browser known to man. What if the bug affects NCSA Mosaic?

    Hmm, there's something wrong with my sarcasmeter, it seems to be off the scale...

  4. Re:Sheesh... by xactoguy · · Score: 5, Informative

    From the Opera developers' description it appears that the Mozilla foundation could have handled things more professionally - Opera was only notified the day before a public advisory was published, and since that time the Mozilla foundation have opened most of the bug reports containing exploitation details to the general public. Judging from the emoticons on Opera's blog, the latter action by the Mozilla foundation is the primary issue here, not that they published the advisory.

    --


    And so we go, on with our lives
    We know the truth, but prefer lies
    Lies are simple, simple is bliss
  5. Re:I must be missing something here... by sholden · · Score: 5, Insightful

    So mozilla should have left their users open to the big for longer, by delaying the fix so that Opera can catch up?

    Or are you saying they should have released the fix and not mention what it was fixing - making it less likely people would apply the fix (plus it's open source not saying what it's fixing doesn't really keep it secret)?

    Note that mozilla never mentioned Opera in the advisory anyway.

    So what you're really saying is that Mozilla should pass all it's security fixes past Opera and IE and Safari and Konqueror and etc and not release them until all of those competitors have said "OK we've fixed it too".

  6. Oprah screeches at Godzilla over Security! by jameskojiro · · Score: 5, Funny

    Best episode of Oprah ever!

    --
    Tsukasa: All I really want, is to be left alone...
  7. Re:Sheesh... by NMagic · · Score: 5, Insightful

    You know, looking at Mozilla's release, they didn't seem to mention anything to anybody about Opera having a problem too. Looks more like Opera screwed themselves.

  8. Re:I must be missing something here... by saltydog56 · · Score: 5, Insightful

    You know, maybe I am blind, or perhaps just a little slow today, but I looked at the actual advisory (did you?) and I see no mention of the fact that the same bug impacted the Opera browser.

    What I seem to get from the article is that a problem was found with Firefox, a fix was developed, and sometime prior to wrapping things up and deploying the fix, someone at Mozilla cared enough about the Internet environment we all share to do a quick regression test of Opera and when a problem was discovered, they PRIVATELY notified the Opera team.

    What more could you ask for in the way of good citizenship?

  9. Re:Sheesh... by pthisis · · Score: 5, Insightful

    But never hiding bugs is silly. For example, if you provide an strace of ssh crashing, you'd want to mark that private at least.

    Maybe, maybe not. You never know what the black hats already know; as a _user_ of ssh, if you disclose then I can take steps to limit damage--e.g. if I'm allowing full ssh access from outside my network (so that employees can work on the go), I may decide that the small benefit of doing so doesn't merit the risk. I'd rather turn off external ssh access for a few days until there's a fix.

    When you hide the bug, you're hiding the ability for the users to take steps to protect themselves. You're forcing me to run with exposed systems for several days, and hoping that nobody "bad" knows about the bug. And you're making that judgement for your users rather than giving them the ability to make that call themselves; that's almost impossible given that the judgement might hinge heavily on whether I'm a large financial institute or a personal blog site that backs up daily. Just guessing that most users are happy with your security through obscurity is bound to be wrong in some cases, and those cases are likely to be some of the more financially significant ones.

    (That's on top of the pressure to issue a real fix that full disclosure brings. Before things like BugTraq, it was common for people to sit on severe security bugs for literally _years_.)

    --
    rage, rage against the dying of the light
  10. Re:Sheesh... by drinkypoo · · Score: 5, Interesting

    But allowing only one day is excessive. Can you track down and fix security problems in your software within one day of notification?

    Now, wait a second. If I am developing software package "A", and you develop competing package "B", and I find a hole in A and fix it, then just for laughs test to see if your product has the same hole and then I am kind enough to let you know that it does, then I announce that there is a hole in A, how am I responsible for the security of B at all? I've done you a favor by performing the test and giving you a heads up in the first place! I don't owe you anything.

    I think we all know already that disclosing the exploit is what brings the motivation to fix the hole. You haven't given a specific example of Opera needlessly hiding an exploit.

    I'm not sure what you think that has to do with anything. The Mozilla foundation didn't even announce to the public that there was a hole in Opera. The announcement is that there is a hole in Firefox. Why not try reading the advisory? There is NOTHING in there about Opera's susceptibility. You can't even view the bug report without a Mozilla bugzilla account with the proper access - I just logged into my account, and that doesn't include me, so it's not like even the report is generally available. Also, as per the advisory:

    These bugs are variations on earlier problems reported by Charles McAuley and Michal Zalewski which were fixed in Firefox 2.0.0.4, as well as an issue reported by hong which was fixed in Firefox 2.0.0.8.

    So it seems as though the Opera team has had some warning about problems similar to these in the past - along with the rest of the world.

    Could I find and fix a bug in one of my pieces of software in a day? Probably, because all of them are very simple. If I had a development team and a security response team (they do have one of those, don't they?) then I bet "I" could find and fix known security problems in larger software products in a day, too.

    Actually, a number of security holes in the Linux kernel have been found, announced, and fixed on the same day, now that I think of it.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  11. But you've missed the point... by Half-pint+HAL · · Score: 5, Insightful

    That obligation is trumped by Mozilla's moral obligation to make sure that people who use Mozilla are not vulnerable to an exploit.

    No one is suggesting that Mozilla should have delayed the fix (in order to hold back disclosure).

    No, it would have been open and responsible and good if someone at Mozilla had thought to send an email to the Opera dev team a week or two ago saying:

    Roses are red, violets are blue
    We're fixing this exploit and think you should too.
    Lots of Love,
    Your secret big red monster Valentine.

    No need to coordinate releases, but given that it took them a while to patch it, they should assume it'll take Opera a wee while to, and in the meantime they're leaving members of the public open to exploit.

    Members of the public that used to use Firefox, but had to stop because Mozilla never fixed the memory leak and these users were using old machines (NT4, 32 meg RAM) and Open Source was supposed to mean never being obsolete, but it was only the non-open, free Opera browser that offered me a fully-patched, fully working browser.

    HAL.

    --
    Got them moderator blues I blieve I walk out the do', With these mod-points I been gettin', I 'most never post no mo'