Opera Software may well be putting its browser users at risk by not properly disclosing security vulnerabilities to vulnerable users.
At least that’s the allegation made by Mozilla Corp.’s Asa Dotzler. According to the security research firm that discovered the recent Opera vulnerabilities, Opera’s security disclosure practices are no better (or worse) than most vendors’.
Dotzler alleges that Opera downplays the severity of its security announcements, which come weeks after a new product release.
“Now, let me make this clear up front. I am not claiming that they should be releasing the explicit details of their fixes or specific information about how to exploit the unfixed versions of the browser,” Dotzler blogged.
“But not telling the user that an update is a critical security update and that the unfixed versions of the browser are vulnerable to remote attack is just wrong.”
Opera software did not respond to requests for comment from internetnews.com by press time.
A pair of highly critical vulnerabilities was recently made public by Opera. Both of the vulnerabilities were reported to Opera by Verisign’s iDefense security division. The vulnerabilities affect version 9.02 of Opera and could potentially have led to the execution of arbitrary code if exploited.
Version 9.10 of Opera, which was released late in 2006, fixes the issues. The official changelog for Opera 9.10 does not make explicit mention of the security fixes for the iDefense-discovered flaws, nor is there an indication that users should move to 9.10 to fix the security flaws.
Mozilla’s Dotzler argues that even Microsoft does a better job of revealing to its users that a flaw existing in a previous version of an application and that an upgrade for security reasons is necessary. Dotzler had some very strong words for Opera about its apparent lack of disclosure.
“This is an unacceptable practice for any company that makes Internet-connected software — and when it comes to browser makers, it’s hard to call it anything other than negligence,” Dotzler wrote.
Despite the harsh words, Opera’s actions may well be the norm rather than the exception.
“I believe Opera do try to downplay (and possibly hide the problems) in some cases, just as MOST vendors do,” Frederick Doyle, senior intelligence analyst at VeriSign-iDefense, told internetnews.com. “For example, they have attributed some vulnerabilities we have reported as ‘stability issues.'”
Opera didn’t exactly drag its feet in response to iDefense’s discovery either. According to iDefenses’s Opera advisory, initial notification of the security vulnerabilities was made to Opera on Nov. 16, 2006. Opera responded the next day, and a coordinated public disclosure occurred on Jan. 5, 2007.
“I would say they are slightly better than average, as they do fix vulnerabilities in a somewhat timely manner,” Doyle said. “Although we had some issues with getting them to address things a while back, they seem to have gotten better with our recent reports to them.”
Opera’s Reply (Thanks Damian)