Tuxicity's source

January 11, 2007

Mozilla Takes Aim at Opera Security (and Opera’s Reply)

Filed under: Browsers, Mozilla, opera — tuxicity @ 8:31 am

Opera Software may well be putting its browser users at risk by not properly disclosing security vulnerabilities to vulnerable users.

At least that’s the allegation made by Mozilla Corp.’s Asa Dotzler. According to the security research firm that discovered the recent Opera vulnerabilities, Opera’s security disclosure practices are no better (or worse) than most vendors’.

Dotzler alleges that Opera downplays the severity of its security announcements, which come weeks after a new product release.

“Now, let me make this clear up front. I am not claiming that they should be releasing the explicit details of their fixes or specific information about how to exploit the unfixed versions of the browser,” Dotzler blogged.

“But not telling the user that an update is a critical security update and that the unfixed versions of the browser are vulnerable to remote attack is just wrong.”

Opera software did not respond to requests for comment from internetnews.com by press time.

A pair of highly critical vulnerabilities was recently made public by Opera. Both of the vulnerabilities were reported to Opera by Verisign’s iDefense security division. The vulnerabilities affect version 9.02 of Opera and could potentially have led to the execution of arbitrary code if exploited.

Version 9.10 of Opera, which was released late in 2006, fixes the issues. The official changelog for Opera 9.10 does not make explicit mention of the security fixes for the iDefense-discovered flaws, nor is there an indication that users should move to 9.10 to fix the security flaws.

Mozilla’s Dotzler argues that even Microsoft does a better job of revealing to its users that a flaw existing in a previous version of an application and that an upgrade for security reasons is necessary. Dotzler had some very strong words for Opera about its apparent lack of disclosure.

“This is an unacceptable practice for any company that makes Internet-connected software — and when it comes to browser makers, it’s hard to call it anything other than negligence,” Dotzler wrote.

Despite the harsh words, Opera’s actions may well be the norm rather than the exception.

“I believe Opera do try to downplay (and possibly hide the problems) in some cases, just as MOST vendors do,” Frederick Doyle, senior intelligence analyst at VeriSign-iDefense, told internetnews.com. “For example, they have attributed some vulnerabilities we have reported as ‘stability issues.'”

Opera didn’t exactly drag its feet in response to iDefense’s discovery either. According to iDefenses’s Opera advisory, initial notification of the security vulnerabilities was made to Opera on Nov. 16, 2006. Opera responded the next day, and a coordinated public disclosure occurred on Jan. 5, 2007.

“I would say they are slightly better than average, as they do fix vulnerabilities in a somewhat timely manner,” Doyle said. “Although we had some issues with getting them to address things a while back, they seem to have gotten better with our recent reports to them.”

Original from internetnews.com.

Opera’s Reply (Thanks Damian)

Advertisements

3 Comments »

  1. Opera replied :
    http://www.internetnews.com/dev-news/article.php/3653226

    Comment by Damian — January 11, 2007 @ 8:56 am

  2. Hi! Why I can’t fill my info in profile? Can somebody help me?
    My login is Kisakookoo!

    Comment by Kisakookoo — January 24, 2007 @ 6:16 am

  3. I follow your posts for a long time and must tell you that your articles are always valuable to readers.

    Comment by How to Get Six Pack Fast — April 15, 2009 @ 3:38 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: