As I mentioned in my previous blogpost, couple of days ago Opera and iDefence lab announced that opera v9.x suffered from two highly critical vulnerabilities. Both of them have been patched in the latest release v9.1. However, the timing of the announcement has created a fair amount of controversy. Today I read Asa Dotzler’s blogpost – Opera fails to notify users at risk
He says :
Not telling the user that an update is a critical security update and that the unfixed versions of the browser are vulnerable to remote attack is just wrong.
By adopting this practice, Opera is doing their users a great disservice. If Opera has fixed any serious security flaw, the only responsible way to ensure that users are safe is to clearly and consistently explain to those users that the latest release of the browser has fixed security flaws and users should immediately update or face real dangers on the web. Opera should be using the press it gets around releases to forcefully proclaim that previous versions of their browser are unsafe and should not be used. Failing to use the loudest microphone they have to reach their users in cases involving user safety is simply unacceptable.
Asa Dotzler is (in)famous for bashing Opera (for ridiculous reasons) in the past. However, this time around he does make a valid point. Failing to mention in the changelog that you have fixed a critical vulnerability is shabby. Have a look at the timeline of events :
11/16/2006 iDefence notifies Opera about this.
11/17/2006 Opera sends a response to iDefence.
11/17/2006 Opera releases a weekly build of v9.1. Doesn’t say anything about the vulnerability. Between this time and 18th Dec they release several weekly builds. None of the changelogs contain any information about the security vulnerability.
12/18/2006 Opera releases 9.1 final in which this has been fixed. However, the changelog fails to mention this.
01/05/2007 Opera and iDefence jointly releases details about these security holes.
Its baffling that they waited for 3 weeks before going public with this piece of information. In the past they have always revealed the security vulnerabilities fixed in the changelog, and their response time is generally around a couple of days.
Opera has also received flak for downplaying the seriousness of these exploits. If properly exploited (which is difficult but not impossible) it can allow execution of arbitrary code, which can be very dangerous. Yet, Opera Soft chose to classify them as moderate (apparently their reasoning is that the vulnerability is difficult to exploit).
The problem with not declaring that an update has security fixes is that many users (especially those having slow internet connections) may not download the newer version, which they think has only cosmetic additions. The fact that opera doesn’t have a proper update system doesn’t help either. In spite of the fact that in a normal upgrade majority of the files are unchanged users have to download the entire setup file. Opera should either add an update system like Mozilla Firefox or start distributing smaller setups with only the newer files.
However, I would like to state that I do not believe that Opera did this on purpose. It’s probably a mistake/slip-up on their part.
Update (8th Jan) : Opera has issued an clarification regarding this issue.
It is important that both parties do respect each other: if a fix is included also in development snapshot builds that reach a public audience (like the weekly builds on this blog), fixes for the vulnerability are not announced: this is a form of respect both for the reporter and for all the users that only upgrade to stable releases. Making the vulnerability public knowledge before a stable version fixes the issue would leave lots of users vulnerable. Serious reporters do not announce vulnerabilities before vendors have a fix in public builds – and vendors do not announce vulnerabilities before the reporters makes their discovery public, in order to properly credit them.
You can read the entire clarification here. Hopefully this would end this unfortunate controversy.