Opera Screeches at Mozilla Over Security Disclosure

The Register is reporting that Mozilla's handling of a recent security exploit that affected both browsers has drawn an unhappy response from the Opera team. "Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. [...] Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk."

Re:Sheesh...

[xactoguy]

From the Opera developers' description [opera.com] it appears that the Mozilla foundation could have handled things more professionally - Opera was only notified the day before a public advisory was published, and since that time the Mozilla foundation have opened most of the bug reports containing exploitation details to the general public. Judging from the emoticons on Opera's blog, the latter action by the Mozilla foundation is the primary issue here, not that they published the advisory.

Re:I must be missing something here...

[Allador]

I do wish Opera would take this update opportunity to fix their toolbar so it looks similar to IE and Firefox, in that the blank space, where Opera used to have their advertisement bar, is removed, and filled with browser controls like the others have. To me, the greatest thing is Firefox having the toolbar editor, so the user can set it up like they want.

Do you realize that Opera's entire GUI is completely user-configurable, without any plugins?

You just right click on the toolbar, click Customize, then drag and drop to your heart's content. Couldnt be easier.

I'm not sure what blank space you're talking about. My Opera (on windows) have no blank space. And even if it did, you just re-organize the toolbars to eliminate it.

Heck, you can even put the tabs (or any toolbar or menu bar) on the side of the screen or the bottom (where I prefer) if you want.

In my opinion, Opera has a much cleaner toolbar than either Firefox (very amateur, blocky) or IE (schizophrenic, why are half the buttons on one side, half on the other?).

Firefox's GUI in particular always looks very amateurish. Like it was done by 'this guy' that someone knew who 'is good with graphics'. Whereas the other browsers actually hired professionals.

Re:insightful??

[Rudolf]

where does it say they had twelve days to fix it?

From TFA:

Mozilla fixed the flaw, along with other more serious bugs, with the release of Firefox 2.0.0.12 on 7 February. Opera, which is yet to plug the moderate risk flaw, objected to the Mozilla team publishing an advisory on the issue.
Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory.

Opera was notified the day before the February 7 release - that would be February 6. Today is February 18. Is that not 12 days?

Re:insightful??

[Epsillon]

where does it say they had twelve days to fix it?

God's teeth, man! Have you really read the article? The vulnerability was reported to Opera a day before Fx 2.0.0.12 was released with full disclosure of Fx and Seamonkey bugs (no mention whatsoever of Opera) on the 7th. It is now the 18th. 18th - 6th = 12. Instead of keeping schtum and coding a fix, they chose to shoot themselves in the foot by disclosing that Opera had this vulnerability and it was the big, bad Mozilla Foundation's fault that it was disclosed because they fixed the browser that has 27% market share [platinax.co.uk] and growing [1] in Europe and told people what they had fixed. Nowhere did Mozilla, or anyone else, mention that Opera was vulnerable. I didn't even know, despite being subscribed to a number of vulnerability reporting lists, until they opened their mouths and took a swipe at Mozilla. I know now, of course. Why do you think that is?

The whole point of this entire debacle is that Opera themselves disclosed this and, by complaining about full disclosure, showed their true colours when it comes to vulnerabilities in their flagship browser. Mozilla reported the vulnerability in a professional manner to a competitor to whom they owe nothing but felt ethically it was the right thing to do, then fixed their own product. Opera's actions in this matter show me quite clearly what they would have preferred to do but perhaps I'm just a raving zealot or a tin-foil hatter seeing conspiracies where none exist. There again, perhaps not. Feeling lucky? I hope you are, since you're betting, with apparently very little information, that Opera fixes the bugs in its software instead of simply sitting on reports from security experts trying to do the right thing. Security experts and competitors who may just think twice before submitting findings to Opera in the future.

[1] 94% of statistics are pulled from someone's behind. Suffice to say a significant portion of the web browsing public use Fx. My analog shows it to be much, much higher but my web server hosts predominantly open source software, so that's to be expected.

Re:Sheesh...

[BZ]

I just checked, for what it's worth. This bug has never had the security flag removed.

Re:Was there an obigation?

[Anonymous Coward]

Mozilla found the bug and fixed it. They only gave Opera one day to fix the bug before notifying the entire world. It doesn't matter that Opera hasn't fixed it yet. They still only gave them one day to react (probably less, given the time difference)

Re:All Things Considered...

[Fordiman]

Why is Mozilla responsible for Opera's poor QA? It may be that one of the MozDev's, late in the game, was poking around and said, "Hey, guys. Did you notice this exploit works in Opera too? We should phone 'em up."