As I mentioned in my previous blogpost, couple of days ago Opera and iDefence lab announced that opera v9.x suffered from two highly critical vulnerabilities. Both of them have been patched in the latest release v9.1. However, the timing of the announcement has created a fair amount of controversy. Today I read Asa Dotzler’s blogpost – Opera fails to notify users at risk
He says :
Not telling the user that an update is a critical security update and that the unfixed versions of the browser are vulnerable to remote attack is just wrong.
By adopting this practice, Opera is doing their users a great disservice. If Opera has fixed any serious security flaw, the only responsible way to ensure that users are safe is to clearly and consistently explain to those users that the latest release of the browser has fixed security flaws and users should immediately update or face real dangers on the web. Opera should be using the press it gets around releases to forcefully proclaim that previous versions of their browser are unsafe and should not be used. Failing to use the loudest microphone they have to reach their users in cases involving user safety is simply unacceptable.
Asa Dotzler is (in)famous for bashing Opera (for ridiculous reasons) in the past. However, this time around he does make a valid point. Failing to mention in the changelog that you have fixed a critical vulnerability is shabby. Have a look at the timeline of events :
11/16/2006 iDefence notifies Opera about this.
11/17/2006 Opera sends a response to iDefence.
11/17/2006 Opera releases a weekly build of v9.1. Doesn’t say anything about the vulnerability. Between this time and 18th Dec they release several weekly builds. None of the changelogs contain any information about the security vulnerability.
12/18/2006 Opera releases 9.1 final in which this has been fixed. However, the changelog fails to mention this.
01/05/2007 Opera and iDefence jointly releases details about these security holes.
Its baffling that they waited for 3 weeks before going public with this piece of information. In the past they have always revealed the security vulnerabilities fixed in the changelog, and their response time is generally around a couple of days.
Opera has also received flak for downplaying the seriousness of these exploits. If properly exploited (which is difficult but not impossible) it can allow execution of arbitrary code, which can be very dangerous. Yet, Opera Soft chose to classify them as moderate (apparently their reasoning is that the vulnerability is difficult to exploit).
The problem with not declaring that an update has security fixes is that many users (especially those having slow internet connections) may not download the newer version, which they think has only cosmetic additions. The fact that opera doesn’t have a proper update system doesn’t help either. In spite of the fact that in a normal upgrade majority of the files are unchanged users have to download the entire setup file. Opera should either add an update system like Mozilla Firefox or start distributing smaller setups with only the newer files.
However, I would like to state that I do not believe that Opera did this on purpose. It’s probably a mistake/slip-up on their part.
Update (8th Jan) : Opera has issued an clarification regarding this issue.
It is important that both parties do respect each other: if a fix is included also in development snapshot builds that reach a public audience (like the weekly builds on this blog), fixes for the vulnerability are not announced: this is a form of respect both for the reporter and for all the users that only upgrade to stable releases. Making the vulnerability public knowledge before a stable version fixes the issue would leave lots of users vulnerable. Serious reporters do not announce vulnerabilities before vendors have a fix in public builds – and vendors do not announce vulnerabilities before the reporters makes their discovery public, in order to properly credit them.
You can read the entire clarification here. Hopefully this would end this unfortunate controversy.
7 responses to “Opera hiding security vulnerabilities ?”
And Indyan, aren’t you a good Opera fan as well?
I’d say this was shocking, but what would you say about this in a nutshell ?
I am a big Opera fan.
In a nutshell I don’t think delaying notification about security fixes/not mentioning them in the changelog is a smart thing to do.
Cut them some slack. Opera is not an IE, or for that matter even Firefox. What is their market share? 1%? Everyone tries to manipulate the facts to make them sound good. What matters is they fixed it. If there is a new version, one should take the pains of updating it. I don’t think there has ever been an updated version just for the cosmetic changes or just for the addition of some feature. I am happy with opera the way it is. You cannot ask them to offer everything what Firefox and IE do. Autoupdate, small update patch IMO only look good on paper. 4MB is not something big. If you just have a brief surfing session, use IE or the old version. it doesn’t translate into a suicide. May be risky, but how many times have you been at a receiving end of a bad code which screws your system or put your privacy at risk? I feel Opera is in a class of its own, the users of which seek pleasure from it while using it to surf the web. Everything has some flaws, stop nitpicking. They may have their own reasons for doing what they have done.
I dont think Opera is trying to manipulate facts to gain marketshare. It’s against their company’s ideals. It was probably a mistake, but a bad one.
You do make a valid point about Opera still being more secure thatn its counterparts.
Secunia issued 2 advisories for O9 in 2006 and bith of them have been fixed. Firefox has also had 2 advisories issued against them, but they have dealt with only 50% of the issues.
If I might made a suggestion,
everything on your blog looks great, but the color for the text in the block quotes is a bit difficult to read because it’s such a light grey on the white background.
Otherise, you have quite the interesting blog. I especially agree with you regarding Opera’s questionable bug reporting activities…it really makes you wonder what else they aren’t tell you.
Thanks for the suggetion. I have changed the colour so that its much easier to read.
This is what i have to say , i can feel somehow , opera is not good as it should be ,