Opera Screeches at Mozilla Over Security Disclosure 208
The Register is reporting that Mozilla's handling of a recent security exploit that affected both browsers has drawn an unhappy response from the Opera team. "Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. [...] Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk."
All Things Considered... (Score:5, Insightful)
I must be missing something here... (Score:5, Insightful)
overreaction (Score:2, Insightful)
Re:All Things Considered... (Score:5, Insightful)
the alternative being...? (Score:5, Insightful)
So keeping in the fix but not mentioning it in the release notes is out. What, then... not patch the flaw? Yeah. Right.
Opera might be a nifty browser, but apparently its authors are whiny bitches.
-=rsw
Re:I must be missing something here... (Score:0, Insightful)
Proper security response has always been to NOT release data until the vendor has had a chance to response. Mozilla DIDN'T DO THAT, and released the information anyway.
The should have given Opera time to fix the flaw BEFORE announcing it to the world.
If Microsoft did the same thing to Firefox, people would be calling for blood. The same standards should apply to open source projects!
Re:Sheesh... (Score:5, Insightful)
I think we all know already that disclosing the exploit is what brings the motivation to fix the hole.
The fact that they hid the bug reports at all should be enough to make the Opera kids grateful. After all, the Mozilla foundation operates in a pretty open and transparent fashion. The most honest (and destructive) way to go would be to never hide the bug reports.
But just to cover that old ground once again; when code changes, diffs happen automatically, and people know just precisely what changed. You can be sure that some of those people are malicious hackers looking for new ways to screw us all; there's good money in it. So by hiding the details of the exploit, you make sure that only the more skillful and malicious hackers have the exploit. Does that sound like a good idea to you?
Re:Streisand effect? (Score:3, Insightful)
Re:I must be missing something here... (Score:5, Insightful)
Or are you saying they should have released the fix and not mention what it was fixing - making it less likely people would apply the fix (plus it's open source not saying what it's fixing doesn't really keep it secret)?
Note that mozilla never mentioned Opera in the advisory anyway.
So what you're really saying is that Mozilla should pass all it's security fixes past Opera and IE and Safari and Konqueror and etc and not release them until all of those competitors have said "OK we've fixed it too".
Re:All Things Considered... (Score:5, Insightful)
Re:I must be missing something here... (Score:4, Insightful)
I think the point is that they *did* know that this particular vulnerability affected Opera and took their time about telling them.
It still doesn't seem like a huge deal, but on the other hand if you read what the Opera guy actually wrote, it also doesn't seem like a huge deal. "Screeches" seems a bit excessive.
Re:Sheesh... (Score:5, Insightful)
Re:All Things Considered... (Score:5, Insightful)
Full public disclosure of security bugs is generally considered the best way to get rapid fixes, and was the entire reason that places like BugTraq were founded. Following standard protocol is not an "attack". Vendors like to assume that you're just maliciously publishing things that would be no problem for their users until you did so. That's untrue.
Many bugs are well-known by black hats before they are found by the good guys. The safest thing for users is to assume that all severe bugs are well-known by the bad guys; when you disclose publically, you give the users a chance to protect themselves even if the software is not yet fixed. I'm not sure of the details of this exploit, but they may be able to protect themselves by limiting their surfing to well-known trusted sites, using an alternate browser, or turning off javascript or whatever. In other cases, some sort of external wrapper or proxy, tighter firewall rules, limiting access to DMZs, or other external steps can help prevent big security problems even without a full vendor fix available yet. It may even be worth it to some users just to forgo using an application for a few days until it's fixed.
Keeping silent until the vendor fixes things might just hurt the user's security situation, and certainly doesn't give the user the option of evaluating the risk and determining whether it's worth ignoring it or not--it forces them to make their usage decision without good information.
Re:Sheesh... (Score:3, Insightful)
I think we all know already that disclosing the exploit is what brings the motivation to fix the hole.
You haven't given a specific example of Opera needlessly hiding an exploit.
Re:I must be missing something here... (Score:5, Insightful)
What I seem to get from the article is that a problem was found with Firefox, a fix was developed, and sometime prior to wrapping things up and deploying the fix, someone at Mozilla cared enough about the Internet environment we all share to do a quick regression test of Opera and when a problem was discovered, they PRIVATELY notified the Opera team.
What more could you ask for in the way of good citizenship?
Re:Sheesh... (Score:5, Insightful)
Re:Sheesh... (Score:5, Insightful)
Maybe, maybe not. You never know what the black hats already know; as a _user_ of ssh, if you disclose then I can take steps to limit damage--e.g. if I'm allowing full ssh access from outside my network (so that employees can work on the go), I may decide that the small benefit of doing so doesn't merit the risk. I'd rather turn off external ssh access for a few days until there's a fix.
When you hide the bug, you're hiding the ability for the users to take steps to protect themselves. You're forcing me to run with exposed systems for several days, and hoping that nobody "bad" knows about the bug. And you're making that judgement for your users rather than giving them the ability to make that call themselves; that's almost impossible given that the judgement might hinge heavily on whether I'm a large financial institute or a personal blog site that backs up daily. Just guessing that most users are happy with your security through obscurity is bound to be wrong in some cases, and those cases are likely to be some of the more financially significant ones.
(That's on top of the pressure to issue a real fix that full disclosure brings. Before things like BugTraq, it was common for people to sit on severe security bugs for literally _years_.)
Crap article (Score:5, Insightful)
What they actually say is that they only had a day between notification and public disclosure. He's actually happy that Mozilla told them at all (hence the
I know Mozilla can do no wrong around here, but come on. Even the Mozilla devs would be happier getting more then one day before public disclosure of a security hole.
Re:All Things Considered... (Score:3, Insightful)
Further, why would you encourage others to "attack MS in this way?" - that is stupid and unprofessional. I am a committed Linux user, in my free time I build and test each kernel snapshot as it is released. Why, because I love to get into the guts of the system.
Am I a Windows lover? Not really, but I do bring up an XP image from time to time as a guest on my Linux system. I have an older IBook running OSX which is the central core of my music system.
I even have a system up and running IBM's MVS 3.8 for those days when I really miss the old days of mainframes punch cards.
Each of these systems has its good points and its bad points, I stick with Linux because I CAN get into the guts of the system. I keep my thumb on the pulse of all these Operating Systems because I love being close to the hardware.
That said I have NEVER seen any vendor come out and invite an attack on a rival OS by detailing a security hole in public. Balmer may be a fool with his rants on Microsoft's perceived superiority but even he doesn't come out and discuss the details of anyones security issues.
So why would you encourage it?
Re:Could a coder please weigh in? (Score:5, Insightful)
For example, Opera is on a very differen timezone from the US, so initial publication may happen overnight from the POV of the Opera staff.
So then a day starts. When people start their day, they have a pile of things to respond to. The incoming messsages have to be triaged. Someone has to make a decision that this is important enough to escalate or take action on.
Then you have to find people with the capability to test whether its a real problem. This may take a couple hours. People go on vacation, get sick, etc.
Then you have to take the time to do the research, test whether this is a real problem, what versions it affects, etc. This takes a couple hours.
Then yuou have to stop a coder from working on something else, bring them up to speed on the problem (if its not the same person doing the testing), and get them started on the fix.
Then even with a fix you have to do regression tests. Not sure about Opera, but many mature apps have full test suites that can take a couple hours.
Then you have to write release notes, update the web page, do a new deploy package, and update your update servers to notify Opera that there is a new update.
As you can see, very little of the time here is coding.
Many large orgs have taken steps to create a 'short path of decision making' to streamline this process, always have one coder on call who can do this work, etc. But even then if anything is out of whack or the wrong person is sick or on vacation or on another urgent item, a whole day could pass without response.
Re:All Things Considered... (Score:4, Insightful)
True, but surely Mozilla has a moral obligation to ensure that other browsers (and ultimately, users) have as much time as possible to prepare for when the exploit becomes public domain?
Re:All Things Considered... (Score:4, Insightful)
Re:All Things Considered... (Score:2, Insightful)
Re:Fanboys (Score:3, Insightful)
So I took a look at the last story [slashdot.org] about Firefox bugs. And guess what - you have people criticising the person for making the bug public in a way not helpful to the developers [slashdot.org]. And do I hear "crybaby"? No, instead it gets modded up to +4.
Re:Streisand effect? (Score:1, Insightful)
Re:All Things Considered... (Score:5, Insightful)
Re:Sheesh... (Score:3, Insightful)
Re:Opera users (Score:2, Insightful)
Yours is really a flamebait comment, and if there were a considerable number of Opera users with moderation points out there, I'm sure they'd overlook objectivity and mod you down.
Re:Could a coder please weigh in? (Score:3, Insightful)
Re:All Things Considered... (Score:4, Insightful)
True, but surely Mozilla has a moral obligation to ensure that other browsers (and ultimately, users) have as much time as possible to prepare for when the exploit becomes public domain?
Re:Crap article (Score:3, Insightful)
Not announcing it means that the black hats get to use it for longer, and that's bad for millions of users. By contrast, delaying the announcement merely saves two or three develpers some embarrassment, at the cost of increased damage to everybody else.
However you look at it, the benefits of delayed announcements don't add up.
screeches? (Score:4, Insightful)
Common, can we get article titles and summaries that don't *immediately* tell us about how we should feel about an article before even telling us the circumstances?
I mean, give me a break, this is a lower standard of reporting than even fox news uses. For *once* I'd like to see a slashdot editor try to be objective, and let the reader make up our own mind instead of trying to spoon feed us our opinions.
Re:All Things Considered... (Score:5, Insightful)
The problem was reported in November and fixed in early February.
Clearly, this is longer than one day.
Following the links in other posts to the mozilla issue tracking, it apparently took a while to fix.
The Opera guys would have liked a little more heads-up than one day, that's all, and that doesn't seem unreasonable to me.
Why all the high-and-mighty whining about 'if they really cared they would have fixed it'?
Re:Sheesh... (Score:1, Insightful)
There should be a standard protocol among significant web-browser vendors notifying each other of upcoming public annocements of vunerabilities. No more than, say two weeks notice (possibly less?) among each other to check for potential flaws. (One week should be enough for any browser that's not a one-man-band to at least do a 'are we vunerable?' investigation.)
So, Mozilla notify Opera they've discovered a flaw in Mozilla, gives Opera two weeks to check they're not vunerable to the same thing. If any siginifcant browser is, maybe give another two weeks for a patch to be devloped. Then the information becomes public.
Sure, MS might be lagging behind with their patch-tuesday, but hey.
Still, Opera's security track-record does exceed Mozilla's.
Re:All Things Considered... (Score:3, Insightful)
But you've missed the point... (Score:5, Insightful)
No one is suggesting that Mozilla should have delayed the fix (in order to hold back disclosure).
No, it would have been open and responsible and good if someone at Mozilla had thought to send an email to the Opera dev team a week or two ago saying:
We're fixing this exploit and think you should too.
Lots of Love,
Your secret big red monster Valentine.
No need to coordinate releases, but given that it took them a while to patch it, they should assume it'll take Opera a wee while to, and in the meantime they're leaving members of the public open to exploit.
Members of the public that used to use Firefox, but had to stop because Mozilla never fixed the memory leak and these users were using old machines (NT4, 32 meg RAM) and Open Source was supposed to mean never being obsolete, but it was only the non-open, free Opera browser that offered me a fully-patched, fully working browser.
HAL.
Re:All Things Considered... (Score:2, Insightful)
Re:All Things Considered... (Score:2, Insightful)
In fact, you are a complete moron: The GNU licence means they HAVE to make the source code available on request at the very least.
Re:All Things Considered... (Score:3, Insightful)
Also these guys are browser developers, same job...
I am near sure they see some potential issues on Mozilla source sometimes and silently inform them about them. If this happened, I can understand their frustration about a hit from "nice guys".
Of course, these are guesses only and I don't even run Opera until they release 9.26/9.50 final on OS X Leopard.