Opera Screeches at Mozilla Over Security Disclosure 208
The Register is reporting that Mozilla's handling of a recent security exploit that affected both browsers has drawn an unhappy response from the Opera team. "Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. [...] Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk."
All Things Considered... (Score:5, Insightful)
Re:All Things Considered... (Score:5, Insightful)
Re:All Things Considered... (Score:5, Insightful)
Re:All Things Considered... (Score:4, Insightful)
True, but surely Mozilla has a moral obligation to ensure that other browsers (and ultimately, users) have as much time as possible to prepare for when the exploit becomes public domain?
Re:All Things Considered... (Score:4, Insightful)
True, but surely Mozilla has a moral obligation to ensure that other browsers (and ultimately, users) have as much time as possible to prepare for when the exploit becomes public domain?
Re: (Score:3, Insightful)
But you've missed the point... (Score:5, Insightful)
No one is suggesting that Mozilla should have delayed the fix (in order to hold back disclosure).
No, it would have been open and responsible and good if someone at Mozilla had thought to send an email to the Opera dev team a week or two ago saying:
We're fixing this exploit and think you should too.
Lots of Love,
Your secret big red monster Valentine.
No need to coordinate releases, but given that it took them a while to patch it, they should assume it'll take Opera a wee while to, and in the meantime they're leaving members of the public open to exploit.
Members of the public that used to use Firefox, but had to stop because Mozilla never fixed the memory leak and these users were using old machines (NT4, 32 meg RAM) and Open Source was supposed to mean never being obsolete, but it was only the non-open, free Opera browser that offered me a fully-patched, fully working browser.
HAL.
Re: (Score:2, Insightful)
Re: (Score:2, Flamebait)
That's what it boils down to. Mozilla had a simple choice: fix the vulnerability and publish (since FF is open source), or leave it unpatched until Opera fix it too (i.e. indefinitely). If Opera can't keep up, too bad, because they can't expect FF to remain vulnerable while they get their act together.
Re: (Score:2, Interesting)
Re: (Score:2, Insightful)
They can avoid mentioning the specifics, and if needed, they can hold back the source.
I am certainly glad they did not do that. If they hald back the source those of us who use gentoo or build our browser from source would still be vulnerable until Opera got around to fixing it. Why should we be? Also note that most open source projects CVS tree is very much open, the whole point is that any user can download the source.
In fact, you are a complete moron: The GNU licence means they HAVE to make the source code available on request at the very least.
Re: (Score:2)
You're half right. Firefox is released under a triple license; the MPL is one choice and the GPL is another. I forget what the third choice is. I'm not sure if they require copyright assignment, but even if they do it wouldn't help much to make a binary-only release; most of their users wouldn't get the update before they got around to releasing the source code anyway. Some Windows users, perhaps, but a large share are on Linux where updates are managed through a c
Re:All Things Considered... (Score:5, Insightful)
Re:All Things Considered... (Score:5, Insightful)
The problem was reported in November and fixed in early February.
Clearly, this is longer than one day.
Following the links in other posts to the mozilla issue tracking, it apparently took a while to fix.
The Opera guys would have liked a little more heads-up than one day, that's all, and that doesn't seem unreasonable to me.
Why all the high-and-mighty whining about 'if they really cared they would have fixed it'?
Re: (Score:3, Informative)
Re:All Things Considered... (Score:5, Insightful)
Full public disclosure of security bugs is generally considered the best way to get rapid fixes, and was the entire reason that places like BugTraq were founded. Following standard protocol is not an "attack". Vendors like to assume that you're just maliciously publishing things that would be no problem for their users until you did so. That's untrue.
Many bugs are well-known by black hats before they are found by the good guys. The safest thing for users is to assume that all severe bugs are well-known by the bad guys; when you disclose publically, you give the users a chance to protect themselves even if the software is not yet fixed. I'm not sure of the details of this exploit, but they may be able to protect themselves by limiting their surfing to well-known trusted sites, using an alternate browser, or turning off javascript or whatever. In other cases, some sort of external wrapper or proxy, tighter firewall rules, limiting access to DMZs, or other external steps can help prevent big security problems even without a full vendor fix available yet. It may even be worth it to some users just to forgo using an application for a few days until it's fixed.
Keeping silent until the vendor fixes things might just hurt the user's security situation, and certainly doesn't give the user the option of evaluating the risk and determining whether it's worth ignoring it or not--it forces them to make their usage decision without good information.
Re: (Score:2)
Re: (Score:3, Insightful)
Further, why would you encourage others to "attack MS in this way?" - that is stupid and unprofessional. I am a committed Linux user, in my free time I build and test each kernel snapshot as it is released. Why, because I love to get into the guts of the system.
Am I a Windows lover? Not really, but I do bring up an XP image from time to time as a guest on my Linux s
Re: (Score:2)
Mozilla have historically played nice with everybody, including Microsoft [informationweek.com].
Opera Software found and patched what it's calling a "highly severe" bug in its flagship browser, using a security tool released by its competitor, Mozilla.
Mozilla worked with Microsoft, Apple, and Opera before making the JavaScript fuzzer widely available in order to reduce the possibility that the tool might be used to expose vulnerabilities in those browsers.
Strangely enough, the actual advisory [mozilla.org] by Mozilla which was linked to by Opera's Claudio Santambrogio in his complaint doesn't mention Opera at all. Given Mozilla's history of cooperation with other browser teams, you'd have to guess any failure in early notification was through oversight rather than intention.
Re: (Score:3, Insightful)
I agree that they probably fulfilled their minimum obligation, but it would be great to see a much higher degree of co-operation between the vendors of minority browsers. By all means attack MS in this way, but play nice amongst the good guys.
There are very advanced developers at Opera too, remember these guys manage to code a 90 KB J2ME single binary which may work in hundreds of millions of mobile phones (Opera Mini) or a browser small enough to run on various kinds of Symbian smart phones.
Also these guys are browser developers, same job...
I am near sure they see some potential issues on Mozilla source sometimes and silently inform them about them. If this happened, I can understand their frustration about a hit from "nice guys".
Of course, t
Re:All Things Considered... (Score:4, Insightful)
Re: (Score:2, Insightful)
Re: (Score:2)
The only good browser for portables? (Score:2)
First... (Score:5, Funny)
Oh bitch, bitch, bitch! (Score:3, Interesting)
Re: (Score:3, Funny)
Re: (Score:2)
Wrong on both counts, for several years actually.
Re: (Score:2)
Were you replying to somebody that said Opera didn't make money and replied to my post by mistake? Heh.
Sheesh... (Score:3, Interesting)
I'm finding it a bit difficult to feel bad for Opera. Exactly how long does it take to "evaluate" a security issue, especially when someone else goes to the trouble of finding it in the first place, and then notifies you of the issue?
Opera had ample opportunity to roll out a fix...but they dragged their feet (as is their habit). This time, their habit got them burned. Perhaps next time they'll take a notification of a security issue more seriously.
Re:Sheesh... (Score:5, Informative)
Re:Sheesh... (Score:5, Insightful)
I think we all know already that disclosing the exploit is what brings the motivation to fix the hole.
The fact that they hid the bug reports at all should be enough to make the Opera kids grateful. After all, the Mozilla foundation operates in a pretty open and transparent fashion. The most honest (and destructive) way to go would be to never hide the bug reports.
But just to cover that old ground once again; when code changes, diffs happen automatically, and people know just precisely what changed. You can be sure that some of those people are malicious hackers looking for new ways to screw us all; there's good money in it. So by hiding the details of the exploit, you make sure that only the more skillful and malicious hackers have the exploit. Does that sound like a good idea to you?
Re:Sheesh... (Score:5, Insightful)
Re: (Score:2)
Re:Sheesh... (Score:5, Insightful)
Maybe, maybe not. You never know what the black hats already know; as a _user_ of ssh, if you disclose then I can take steps to limit damage--e.g. if I'm allowing full ssh access from outside my network (so that employees can work on the go), I may decide that the small benefit of doing so doesn't merit the risk. I'd rather turn off external ssh access for a few days until there's a fix.
When you hide the bug, you're hiding the ability for the users to take steps to protect themselves. You're forcing me to run with exposed systems for several days, and hoping that nobody "bad" knows about the bug. And you're making that judgement for your users rather than giving them the ability to make that call themselves; that's almost impossible given that the judgement might hinge heavily on whether I'm a large financial institute or a personal blog site that backs up daily. Just guessing that most users are happy with your security through obscurity is bound to be wrong in some cases, and those cases are likely to be some of the more financially significant ones.
(That's on top of the pressure to issue a real fix that full disclosure brings. Before things like BugTraq, it was common for people to sit on severe security bugs for literally _years_.)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
I think we all know already that disclosing the exploit is what brings the motivation to fix the hole.
You haven't given a specific example of Opera needlessly hiding an exploit.
Re:Sheesh... (Score:5, Interesting)
Now, wait a second. If I am developing software package "A", and you develop competing package "B", and I find a hole in A and fix it, then just for laughs test to see if your product has the same hole and then I am kind enough to let you know that it does, then I announce that there is a hole in A, how am I responsible for the security of B at all? I've done you a favor by performing the test and giving you a heads up in the first place! I don't owe you anything.
I'm not sure what you think that has to do with anything. The Mozilla foundation didn't even announce to the public that there was a hole in Opera. The announcement is that there is a hole in Firefox. Why not try reading the advisory [mozilla.org]? There is NOTHING in there about Opera's susceptibility. You can't even view the bug report [mozilla.org] without a Mozilla bugzilla account with the proper access - I just logged into my account, and that doesn't include me, so it's not like even the report is generally available. Also, as per the advisory:
So it seems as though the Opera team has had some warning about problems similar to these in the past - along with the rest of the world.
Could I find and fix a bug in one of my pieces of software in a day? Probably, because all of them are very simple. If I had a development team and a security response team (they do have one of those, don't they?) then I bet "I" could find and fix known security problems in larger software products in a day, too.
Actually, a number of security holes in the Linux kernel have been found, announced, and fixed on the same day, now that I think of it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
Mozilla would've been better off keeping their mouths shut. As it is, they've irresponsibly disclosed a vulnerability in a competitor's product.
Re: (Score:2)
Re:Sheesh... (Score:5, Insightful)
Could a coder please weigh in? (Score:2)
So, is having one day to evaluate and fix a security hole reasonable? And also, is having the source code open and available to others advantageous at all in meeting so short of a deadline?
Re:Could a coder please weigh in? (Score:5, Insightful)
For example, Opera is on a very differen timezone from the US, so initial publication may happen overnight from the POV of the Opera staff.
So then a day starts. When people start their day, they have a pile of things to respond to. The incoming messsages have to be triaged. Someone has to make a decision that this is important enough to escalate or take action on.
Then you have to find people with the capability to test whether its a real problem. This may take a couple hours. People go on vacation, get sick, etc.
Then you have to take the time to do the research, test whether this is a real problem, what versions it affects, etc. This takes a couple hours.
Then yuou have to stop a coder from working on something else, bring them up to speed on the problem (if its not the same person doing the testing), and get them started on the fix.
Then even with a fix you have to do regression tests. Not sure about Opera, but many mature apps have full test suites that can take a couple hours.
Then you have to write release notes, update the web page, do a new deploy package, and update your update servers to notify Opera that there is a new update.
As you can see, very little of the time here is coding.
Many large orgs have taken steps to create a 'short path of decision making' to streamline this process, always have one coder on call who can do this work, etc. But even then if anything is out of whack or the wrong person is sick or on vacation or on another urgent item, a whole day could pass without response.
Re: (Score:3, Insightful)
Re: (Score:2)
The problem usually isnt coding time. It's organizational response and resource allocation issues.
Opera should probably use this as an opportunity to review those practices.
For example, Opera is on a very differen timezone from the US, so initial publication may happen overnight from the POV of the Opera staff. So then a day starts. When people start their day, they have a pile of things to respond to. The incoming messsages have to be triaged. Someone has to make a decision that this is important enough to escalate or take action on.
Opera has a lot of paying corporate customers and can afford to do better; Their customers also deserve as much. After all, what happens if a 0-day comes out in the US? "I was asleep" is not an excuse for supported software. Where I work, others would not hesitate to call me at 2am if something really needs to be fixed, and that's something I accept as part of my job. For Opera, this could be as simple as hiring a few people ar
I must be missing something here... (Score:5, Insightful)
Re:I must be missing something here... (Score:5, Funny)
Hmm, there's something wrong with my sarcasmeter, it seems to be off the scale...
Re: (Score:3, Funny)
Re:I must be missing something here... (Score:4, Insightful)
I think the point is that they *did* know that this particular vulnerability affected Opera and took their time about telling them.
It still doesn't seem like a huge deal, but on the other hand if you read what the Opera guy actually wrote, it also doesn't seem like a huge deal. "Screeches" seems a bit excessive.
Re: (Score:2)
It still doesn't seem like a huge deal, but on the other hand if you read what the Opera guy actually wrote, it also doesn't seem like a huge deal. "Screeches" seems a bit excessive.
Agreed, but if minor quibbles between software groups weren't overplayed and sensationalized, then what exactly would we be reading on Slashdot? Plus, you must be new here, because what business do you have reading the article anyway? You're supposed to just read the inaccurate summary and then "wing it."
Anyways, here, the use of the word "screeches" is not descriptive of the communication that took place, it just means that somebody needs to have their Roget's confiscated. I'm inclined not to think that S
Re: (Score:2)
Re: (Score:3, Funny)
Re:I must be missing something here... (Score:5, Insightful)
Or are you saying they should have released the fix and not mention what it was fixing - making it less likely people would apply the fix (plus it's open source not saying what it's fixing doesn't really keep it secret)?
Note that mozilla never mentioned Opera in the advisory anyway.
So what you're really saying is that Mozilla should pass all it's security fixes past Opera and IE and Safari and Konqueror and etc and not release them until all of those competitors have said "OK we've fixed it too".
Re: (Score:2)
In fact the curious people will probably find the security problem sightly quicker...
Re: (Score:2)
And yes given the source code it is trivial for someone interested in security in the slightest to determine what the security hole was. People do it by looking at the changes in disassembled binaries...
Re:I must be missing something here... (Score:5, Insightful)
What I seem to get from the article is that a problem was found with Firefox, a fix was developed, and sometime prior to wrapping things up and deploying the fix, someone at Mozilla cared enough about the Internet environment we all share to do a quick regression test of Opera and when a problem was discovered, they PRIVATELY notified the Opera team.
What more could you ask for in the way of good citizenship?
Re: (Score:2)
"Attention, Opera once had a security hole but doesn't any more. News at 11"
Re: (Score:2, Informative)
I do wish Opera would take this update opportunity to fix their toolbar so it looks similar to IE and Firefox, in that the blank space, where Opera used to have their advertisement bar, is removed, and filled with browser controls like the others have. To me, the greatest thing is Firefox having the toolbar editor, so the user can set it up like they want.
Do you realize that Opera's entire GUI is completely user-configurable, without any plugins?
You just right click on the toolbar, click Customize, then drag and drop to your heart's content. Couldnt be easier.
I'm not sure what blank space you're talking about. My Opera (on windows) have no blank space. And even if it did, you just re-organize the toolbars to eliminate it.
Heck, you can even put the tabs (or any toolbar or menu bar) on the side of the screen or the bottom (where I prefer) if you want.
In my
overreaction (Score:2, Insightful)
Re:overreaction (Score:5, Interesting)
At the end of the day, Mozilla would have acted better by keeping the exploits closed for a few more days, as they would hope anyone else would do for them. By not doing so, they upset people, and others expressing that upset is perfectly understandable. There's no mass outcry at Opera, no press release or open letter saying the Mozilla team are dicks, there's a few words saying what happened and a couple of emoticons on a developer blog entry.
Re: (Score:2)
True, suitably smrt and inclined people can probably look at the fix and come up with the exploit on their own, but there are very few such people compared to the masses of kiddies who just want a readymade exploit they can hack on and use.
See this? (Score:4, Funny)
the alternative being...? (Score:5, Insightful)
So keeping in the fix but not mentioning it in the release notes is out. What, then... not patch the flaw? Yeah. Right.
Opera might be a nifty browser, but apparently its authors are whiny bitches.
-=rsw
Re: (Score:2)
The alternative being to inform Opera as soon as they realized it was affected, not at the last minute before public disclosure. (Presuming they didn't first test in in Opera right before public disclosure, which might have been the case.)
Apologies! (Score:4, Funny)
Next time we'll just let you figure it out on your own.
Re: (Score:2)
Maybe that's what should happen next time.
Re: (Score:2)
What did you expect them to do? Not fix Firefox for a few days?
OT: User agent (Score:2)
Because I frequently visit websites (such as www.cvs.com) that expressly disallow Opera users to access the website for no apparent reason. Leaving on "ID as IE" saves me hassle... plus I'm not a super hardcore must evangelize [X] browser person, Opera is the best I've found, so it is what I use. I could care less waht other people use.
I'm not sure if Opera lets you customize the UA string to whatever you like, but I find it best to add whatever string the page is looking for into my Firefox UA. For example, Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.12; .NET CLR 2.0.50727; not MSIE 6.0) Gecko/20080201 Firefox/2.0.0.12. The idea is that it gets you in without much trouble, while still letting the site know that you prefer a different browser and they should fix their site (or browser detection). Wouldn't it be great if
Re: (Score:2)
Some sites I have it set to mask as Firefox, some are ID as IE (with Opera in the string,) some are ID as Firefox, and I default to IDing as Opera.
Streisand effect? (Score:5, Interesting)
Re: (Score:3, Insightful)
Re:insightful?? (Score:5, Interesting)
Re:insightful?? (Score:4, Informative)
From TFA:
Opera was notified the day before the February 7 release - that would be February 6. Today is February 18. Is that not 12 days?
Re: (Score:3, Informative)
God's teeth, man! Have you really read the article? The vulnerability was reported to Opera a day before Fx 2.0.0.12 was released with full disclosure of Fx and Seamonkey bugs (no mention whatsoever of Opera) on the 7th. It is now the 18th. 18th - 6th = 12. Instead of keeping schtum and coding a fix, they chose to shoot themselves in the foot by disclosing that Opera had this vulnerability and it was the big, bad Mozilla Foundation's fault that it was disclo
Re: (Score:2)
As this shows, it's not perfect, b
Opera users (Score:2, Funny)
Yeah, both of them.
Re: (Score:2, Insightful)
Yours is really a flamebait comment, and if there were a considerable number of Opera users with moderation
Re: (Score:2)
Opera has a lot of nifty features, but to my mind, it's crippled by an interface that makes it take forever to figure out how to configure the thing to do what you want. I'd _love_ for the Opera folks to take the Firefox code and rewrite it to their standards. FF would be SOOO much faster. I just don't want the Opera interface.
Oprah screeches at Godzilla over Security! (Score:5, Funny)
Only on the internet (Score:2)
Only on the series of tubes of the Interwebs does someone Piss and Whine when another person does them a favour.
I hereby declare Opera a whiny bizznatch. [carcino.gen.nz]
Opera users? (Score:2, Flamebait)
In other words, it puts nobody at risk.
Was there an obigation? (Score:3)
Offtopic: Did that opera guy ever swim from US to Norway? speak about obligations.
Whats the big deal, just go fix it (Score:3, Interesting)
I know you don't have any people committed to different projects.
I know you have your code at a stable point so its easy to slip in a change
I know this only takes one guy 5 min to go change a few lines of code
I know its ready to ship the moment its changed
I know you coded it right and didn't break anything else
Remember this is open source. so you should be able to fix all security issues quickly. I bet someone else had already done it for you. Just ask someone for it.
Whats the point of being open source if you don't do what the community expects of you.
END RANT
OK, i bet the underlying issue is they expected to have a Little time. Emails went out to a few people that would look at and identify how big of an issue it was. Once they reported back, only the resources needed would be pulled off other projects to fix this.
The next day they see the advisory without warning and now they scramble to figure it out. Probably pulled a lot of people off other stuff that they didn't need to in order to rush out a minimally tested release.
...it places Opera users at unnecessary risk? (Score:4, Funny)
Re: (Score:2)
Well, I can understand (Score:2)
That being said, "Opera's" response wasn't exactly professional either. At least it should have been better worded and cited industry standard ways of working to
Screeching Simpson's Quote (Score:2)
"We had another fight over the inflatable bath pillow. I kept screeching and screeching at him, but..."
-- Agnes Skinner, describing her latest fight with her son, Seymour
Crap article (Score:5, Insightful)
What they actually say is that they only had a day between notification and public disclosure. He's actually happy that Mozilla told them at all (hence the
I know Mozilla can do no wrong around here, but come on. Even the Mozilla devs would be happier getting more then one day before public disclosure of a security hole.
Re: (Score:3, Insightful)
Not announcing it means that the black hats get to use it for longer, and that's bad for millions of users. By contrast, delaying the announcement merely saves two or three develpers some embarrassment, at the cost of increased damage to everybody else.
However you look at it, the benefits of delayed announcements don't add up.
I am with the opera dudes on this one. (Score:2)
screeches? (Score:4, Insightful)
Common, can we get article titles and summaries that don't *immediately* tell us about how we should feel about an article before even telling us the circumstances?
I mean, give me a break, this is a lower standard of reporting than even fox news uses. For *once* I'd like to see a slashdot editor try to be objective, and let the reader make up our own mind instead of trying to spoon feed us our opinions.
Re: (Score:2)
Re: (Score:2, Funny)
> that don't *immediately* tell us about how we should
> feel about an article before even telling us the circumstances?
What?
You want me to RTFA before drawing conclusions?
You must be new here....
Re:26% decrease in comments per hour since /. chan (Score:2)
Re: (Score:3, Insightful)
So I took a look at the last story [slashdot.org] about Firefox bugs. And guess what - you have people criticising the person for making the bug public in a way not helpful to the developers [slashdot.org]. And do I hear "crybaby"? No, instead it gets modded up to +4.
Re: (Score:2)
End of list.
Re: (Score:2)
Desktop application code, you must admit, is is pretty crappy these days... when it comes to security. Name one desktop application that hasn't had MULTIPLE security patches in the last year.
Most security experts also agree that this "patching everything and then patching it again" is killing the real gains found (monetary) by utilizing the technology in the first place. At some point if it was written badly enough to need continuous patching, the support staff required to keep up with patchin