Opera Screeches at Mozilla Over Security Disclosure

The Register is reporting that Mozilla's handling of a recent security exploit that affected both browsers has drawn an unhappy response from the Opera team. "Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. [...] Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk."

Oh bitch, bitch, bitch!

[Enuratique]

Listen, would you rather they give you no advanced warning? Like chivalry, professional courtesy is all but dead these days. What are they supposed to do? Wait until you get your ass in gear to address the issue? Perhaps letting the weakness be known might actually give you the incentive to make it a top priority bug fix - which is good for everyone.

Sheesh...

[TripMaster Monkey]

From TFA:

Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. "They did not wait for us to come back with an ETA for a fix: they kept their bug reports containing the details of the exploits closed to the public for a few days, and now opened most of them to everybody," Santambrogio writes.

I'm finding it a bit difficult to feel bad for Opera. Exactly how long does it take to "evaluate" a security issue, especially when someone else goes to the trouble of finding it in the first place, and then notifies you of the issue?

Opera had ample opportunity to roll out a fix...but they dragged their feet (as is their habit). This time, their habit got them burned. Perhaps next time they'll take a notification of a security issue more seriously.

Streisand effect?

[Epsillon]

Seems if they'd kept their whiny mouths shut, nobody would have realised from the vulnerability disclosure [mozilla.org] that the issue affects Opera. Now EVERYONE knows, from the kiddie scripting 'sploits to the IT manager planning the software deployment for the next few months, who is now seeing why closed-source Opera isn't really such a great choice after all. Even the CVE entry [mitre.org] doesn't disclose Opera's vulnerability to this bug. Still, it makes good comedy if nothing else...

Fanboys

[Anonymous Coward]

Anyone else read the comments on the Opera blog? Pretty embarassing stuff.
http://my.opera.com/desktopteam/blog/2008/02/14/9-26-coming-soon [opera.com]

"Well those Mozilla guys think that openness is the answer to everything. :-/"

"Mozilla never knows when to keep their mouths shut...
Of course, considering that there are active exploits for Firefox, it's safe to say that the malware authors already knew about this security vulnerability."

"I'm not surprised about the Mozilla Corporation. Maybe they pretend they never have security issues with their code? There are still security issues with Firefox and with *any* software developed by humans, so they should be more humble and responsible. They're not harming Opera Software ASA, they're putting the Opera users in jeopardy, this is not a good way to have them to use Firefox. This is evil, irresponsible and antiethical at the very least. Shame on Mozilla!"

"Nevermind, guys, let the Mozilla devs have more secure browser for at least few days (-;E"

Re:overreaction

[Fweeky]

I don't see how expressing dipleasure at something on a blog is an overreaction. "Screeching" is stretching it pretty fucking far, since it's basically saying what happened. Where in the blog entry is there screeching, perhaps the bold on "responsible", or maybe the ":("? Wouldn't it be better to link to the blog entry directly and not some dumb opinionated elreg article? Really, did you even read the original source before deciding "the developer needs a chill pill"?

At the end of the day, Mozilla would have acted better by keeping the exploits closed for a few more days, as they would hope anyone else would do for them. By not doing so, they upset people, and others expressing that upset is perfectly understandable. There's no mass outcry at Opera, no press release or open letter saying the Mozilla team are dicks, there's a few words saying what happened and a couple of emoticons on a developer blog entry.

Whats the big deal, just go fix it

[KevMar]

Whats the big deal. Just go fix it.

I know you don't have any people committed to different projects.
I know you have your code at a stable point so its easy to slip in a change
I know this only takes one guy 5 min to go change a few lines of code
I know its ready to ship the moment its changed
I know you coded it right and didn't break anything else

Remember this is open source. so you should be able to fix all security issues quickly. I bet someone else had already done it for you. Just ask someone for it.

Whats the point of being open source if you don't do what the community expects of you.

END RANT

OK, i bet the underlying issue is they expected to have a Little time. Emails went out to a few people that would look at and identify how big of an issue it was. Once they reported back, only the resources needed would be pulled off other projects to fix this.

The next day they see the advisory without warning and now they scramble to figure it out. Probably pulled a lot of people off other stuff that they didn't need to in order to rush out a minimally tested release.

Re:Sheesh...

[drinkypoo]

But allowing only one day is excessive. Can you track down and fix security problems in your software within one day of notification?

Now, wait a second. If I am developing software package "A", and you develop competing package "B", and I find a hole in A and fix it, then just for laughs test to see if your product has the same hole and then I am kind enough to let you know that it does, then I announce that there is a hole in A, how am I responsible for the security of B at all? I've done you a favor by performing the test and giving you a heads up in the first place! I don't owe you anything.

I think we all know already that disclosing the exploit is what brings the motivation to fix the hole.

You haven't given a specific example of Opera needlessly hiding an exploit.

I'm not sure what you think that has to do with anything. The Mozilla foundation didn't even announce to the public that there was a hole in Opera. The announcement is that there is a hole in Firefox. Why not try reading the advisory [mozilla.org]? There is NOTHING in there about Opera's susceptibility. You can't even view the bug report [mozilla.org] without a Mozilla bugzilla account with the proper access - I just logged into my account, and that doesn't include me, so it's not like even the report is generally available. Also, as per the advisory:

These bugs are variations on earlier problems reported by Charles McAuley and Michal Zalewski which were fixed in Firefox 2.0.0.4, as well as an issue reported by hong which was fixed in Firefox 2.0.0.8.

So it seems as though the Opera team has had some warning about problems similar to these in the past - along with the rest of the world.

Could I find and fix a bug in one of my pieces of software in a day? Probably, because all of them are very simple. If I had a development team and a security response team (they do have one of those, don't they?) then I bet "I" could find and fix known security problems in larger software products in a day, too.

Actually, a number of security holes in the Linux kernel have been found, announced, and fixed on the same day, now that I think of it.

Re:insightful??

[Epsillon]

They've had twelve days to fix it. Have they? If you RTFA, you'll see not only have they not, they've expended a greater amount of energy trying to whip up support for their malcontent with Mozilla. So, in reply, yes it does seem that they would rather cover this up than fix the issue in a timely manner. Their actions scream it, even if TFA doesn't.

Re:All Things Considered...

[eam]

Considering that their browser is open source, how do they release the fix and still hold back on the details?

TFA didn't mention Opera at all...

[Ikar_rb]

I call BS on Opera's complaint. I just read Mozilla's security advisory, and it makes no mention of Opera. So sorry- Mozilla checked and saw Opera was vulnerable to the same exploit and shot them a heads up to let them know about it. Mozilla has ZERO obligation to the Opera folks, so that was being nice. If their advisory had mentioned Opera, there would be something to complain about. As it stands, all Opera's complaint accomplished was advertising to the world that their browser was vulnerable and unpatched. Smart people indeed.