back to article Opera screeches at Mozilla over security disclosure

Opera has taken exception to the manner in which Mozilla handled the disclosure of a security bug that affects both firm's browsers. The moderate severity flaw involving file input controls creates a means to upload arbitrary files, assuming hackers know the full path and name of the file. Mozilla fixed the flaw, along with …

COMMENTS

This topic is closed for new posts.
  1. Rob
    Gates Halo

    Oh noes!

    "Our competitor found a bug in our software and didn't tell us about it! How unchivalrous of them!"

  2. Anonymous Coward
    Flame

    Opera has an awful record at fixing bugs

    Their Opera Mobile browser has almost no competition and they don't even care to fix major bugs. I am glad they have to compete with Firefox on the desktop so they feel the heat.

    Opera has to be the most unresponsive company I have ever dealt with. Visit the forums on their own website and you will see what I mean.

  3. Anonymous Coward
    Thumb Down

    More than a day to evaluate a security bug?

    It's a little silly for Opera to be whining at Mozilla when the root cause is their own inefficiency. A day should be plenty of time to evaluate a bug and if it isn't that is where the problem lies, not in your competitor's unwillingness to leave their customers unaware of a security flaw for too long.

  4. Futaihikage
    Unhappy

    Ah Yes... we have nothing but big babies in the Tech Industry now

    Yikes... I thought all the patent squatters and the companies suing each other for copyright infringement was bad. This is utterly ridiculous, to the point of being scary. If they have time to come up with a complaint like that, then they have WAY too much time on their hands.

  5. Joey Y
    Unhappy

    Opera and responsiveness

    "Opera has to be the most unresponsive company I have ever dealt with."

    That is odd. I have been using Opera (on the desktop) for years. Back in 2001, it was Version 6, and you still had to pay for it, I bought it...

    Every time I contacted their support department, either about a browser bug, feature or suggestion, or even just about a webpage that did not work correctly in Opera, I always received a reasonable answer promptly. Sometimes, the answer was "sorry, but you will have to wait until the next release" (such as reliable gmail compatibility). Other times, the problem was fixed in the next update.

    Not to say that they are perfect, but they do pretty good for a private corporation releasing a free webbrowser.

    (By the way, how *is* the Firefox mobile browser coming? Any progress?)

  6. Matt Caldwell

    I think the point is....

    that even if Opera in inefficient/bad at repairing bugs Mozilla shouldn't have released details of the bug as it puts innocent end users at risk.

  7. Ryan

    Opera has Mozilla as Competition on Mobiles

    Haven't U heard of MiniMo? Its Mozilla's Mobile Client. I've been using it since version 0.015, they're up to like 0.023 now and may be further along. I stopped watching when I gave up my mobile phone and got an NEC Mobilepro 900C. I couldn't use it anymore but haven't checked since upgrading my Mobile with CMonex's custom bootloader ROM v2.0. I may have to go try 0.016 again, as I believe 0.023 is WM5 and up only.

    At any rate the best Web browser I've found for at least the Mobilepro 900C is actually Internet Exploder. It renders all current pages, even the flash portions and looks great, despite coming from Microsoft.

    None of the others(Netfront, Opera, etc) have worked thus far.

  8. Rob Beard
    Stop

    Good reason to open the source up

    Maybe it's a good reason to open up the source code...

    That way there would probably be more eyes looking at the code and more programmers able to provide a fix.

    I'll avoid using the Wii browser for now me thinks.

    Rob

  9. John Hanson

    The message is...

    Disclosure can be performed when you have the information. Opera had the information so they could have disclosed. The delay of disclosure more often works for the software manufacturer than it does for the malcontent community...admittedly when a writer gets caught well then there is a different message it sends. It says 'we don;t have the staff, the organization, or place the same importance on 'it' than 'others'.

    Opera instead needed to get the message out that they were not to blame but that 'irresponsible disclosure' was to blame. That way Opera users will have the ability to claim they are especially discriminated against and the reverse of that is how special Macintosh users feel because they are not vulnerable to the mass of vulnerabilities that the rest of the world is!!!! Huh!

    Stop the whining and establish your reputation as one of the fighters for open and safe computing on all platforms. Do it now, quickly, and those of us that have an opinion based on fact will take notice.

  10. jim
    Coat

    Grow up Opera

    Can't stand the heat then.......Get your coats.

  11. Edward Miles

    Oh look...

    We Screwed up! But don't tell anyone...

  12. Troy Shanahan

    Whaaat..?

    Okay, why are Opera whining about this? They should have jumped on the info that mozilla provided asap, instead of procrastinating. Anyway, what was mozilla supposed to say when they released the patch without teling their users about the vulnerability? "We're just patching our software for the sake of it"?

    Honestly, pull your head out Opera. Knuckle down and you might just beat mozilla to patching the hole.

  13. Antoinette Lacroix
    Flame

    Irrelevant

    Opera is a small company, still they are better than anyone else. Some might suggest they open their code, so bugs can be spotted faster, but it's all they've got to make a living - so stuff that. Support is superb, if you don't ask questions that haven't been answered a million times before, that is. Typical (l)user questions get the RTFM response they deserve ! I really love them for that; they almost scared away the pathetic Ubuntu crowd. ( WAHHH my foo-icons don't show in toolbar-bar, etc etc, laugh giggle,rofl - buy Windows you cheapskates . . ) Opera devs are techie, and concentrate on important stuff. REAL flaws are fixed in no time.This flaw isn't likely to be exposed by anyone, it's not something that makes you loose sleep. It'll get fixed in a few days, so what ? On the other hand, the Firefox ppl are very eager to propagate their bloated mess, and make others look bad. Opera gave Unix users the option to run Linux plugins on a native version of their browser. No other browser can do that. We could use the Linux version of FF, but it craps out so often, it's almost unusable. How about writing portable code, instead of spreading FUD over nothing ?

    ( Where's my BSD icon ? Shall I paint you one ? )

  14. Anonymous Coward
    Linux

    Here, Here

    I agree with Brian Smith. For example, the recent Linux kernel privilege escalation flaw was analysed and a fix put out to testers within *hours*, not days - production fixes were available for most distros within 24 hours. That's what users ought to expect for a serious *security* flaw.

    If Opera isn't organised to act swiftly on security flaws, that's their problem.

  15. Thomas Hurst
    Stop

    Screeches?

    What's scheechy about a few words mentioning what happened, a couple of emoticons and a "we believe in *reponsible* disclosure"? it's not like keeping the exploit embargoed for a couple more days would hurt, and that's precisely what Mozilla would expect from others were the situation reversed.

    Did Opera kill your dog or something? Sheesh.

  16. Anonymous Coward
    Go

    What choice did Mozilla have?

    It seems like Moz had little choice really. They needed to fix the bug ASAP, and once fixed the source code of the fix would be public anyway, and thus so would the vulnerability.

    Mozilla typically fix security issues within a few days of them being discovered. If Opera can't keep up with then, too bad. The choice for Mozilla was either give Opera as long as they need to fix the bug (i.e. wait indefinitely) and leave their own browser vulnerable, or fix and publish.

    They made the right decision.

  17. Anonymous Coward
    Flame

    All your bugz are belong to us

    It's pretty simple really - think of it from a users perspective (a tech-savvy user that is). If there's a bug in some software, especially a security bug, you want it fixed don't you? asap? yes please. If your vendor, mozilla, or opera, or MicroSh!t or whoever, are lagging behind, and don't have the business processes in place to fix said bug in a timely manner, then you should either not be worried about it, or you should move to another vendor who can. Just because Opera were "officially" told about the bug 24 hours previous doesn't mean they didn't know about it beforehand (shhhh, no-one will notice)

    At the end of the day, users will vote with their feet - if opera can't take the heat then Foxtrot Oscar out of the kitchen.

    On the other hand, it could be a terrorist conspiracy........18/02

    bah

  18. Dark
    Stop

    humm

    Mozilla knew about the vulnerability for weeks.

    It was just one day before releasing the patch that they informed Opera about it.

    https://bugzilla.mozilla.org/show_bug.cgi?id=408034

    The original bug submission, reported: 2007-12-11 23:06

    http://www.mozilla.org/security/announce/2008/mfsa2008-02.html

    Mozilla Foundation Security Advisory 2008-02, announced: February 7, 2008

  19. Anonymous Coward
    Anonymous Coward

    Screeching? No, common sense.

    You think ONE DAY is enough to analyse a security issue? The point is that Mozilla sat on the information until they had their own fix, they didn't make it public to their own customers, or to Opera. Mozilla knew fine they were putting other people's customers at risk. Considering the whining Mozilla made recently when Opera DARED to fix a vulnerability without telling anyone first...

    Opera's always had the best record for vulnerability patching of all the browsers, in speed and completeness. The Secunia stats speak for themselves..

    http://secunia.com/product/12434/?task=statistics

    http://secunia.com/product/10615/?task=statistics

    Firefox 19% unpatched, Opera 0% unpatched.

  20. Alan Donaly
    Linux

    The thing is it's open source.

    You have to tell people why the hell you're changing things or they will maul you, there can be no secrets not at the Firefox level it's too public and too well used anything that smells of secrecy will raise all sorts of nasty suspicions. As for Opera I have two words for them, keep up. If Opera wants to return the favor sometime I am sure they won't hesitate.

  21. Mahou Saru

    Only if Opera pays for the service

    Opera's devs should be keeping a beady eye out for any bugs be it Flash, Java, IE or FF. Unless they are paying FF to do their work for them they should ensure bugs reported to affect other systems don't affect theirs too.

  22. Stuart Van Onselen
    Unhappy

    Now, now, children - fight nicely

    "Did Opera kill your dog or something? Sheesh."

    No. Opera dared to criticise their icon, Firefox! FF/Mozilla is always right, damnit! Regardless of any inconvenient "facts".

    I've seen many IT religious wars in my time, so I thought I was used to it. But this one blew my socks off, the response was so ridiculously disproportionate. I've seen Muslims react less explosively to the Danish Mohammed cartoons!

    Are all FF fan-boys really so insecure, defensive, and puerile? Get a life, get laid, and chill! It's only a web browser, FFS!

  23. stizzleswick
    Stop

    @Thomas Hurst

    " it's not like keeping the exploit embargoed for a couple more days would hurt, and that's precisely what Mozilla would expect from others were the situation reversed."

    From what I know of the Mozilla community, that's precisely what they would not expect of others. They'd just dig in and plug the hole.

    "Did Opera kill your dog or something? Sheesh."

    Nope. They have a good product, but honestly, they take too bloody long to fix documented security bugs. Then they complain that others have fixed it first. And yes, I know it takes a few days to do it. That's no reason to whine though.

  24. Ian Johnston Silver badge
    Thumb Down

    Opera aren't

    I've tried Opera repeatedly - and hopefully - over the years, on Windows, OS/2, Linux and Symbian. With the exception of the Symban version - which is just slow - every single one has been unusably crappy, with a mean-time-to-crash of a few pages. I presume Operasoft is a couple of blokes in a bedroom somewhere, in which case even a vaguely functioning browser is quite an achievement, but it's really time it joined Cello (remember Cello?) and the rest in the Museum of Didn't-Quite Browsers.

  25. Chris
    Thumb Down

    re; hmmm by Dark

    This just proves how petty Opera is... FF announced it almost 2 months ago to the world...

    Eummm Opera ... Mozilla did not even had to notify you lot, but they did none the less!

    My 2cents.

    Thumbs down for Opera

  26. Graeme Griffiths
    Thumb Up

    Opera certainly are

    I don't really care about the vulnerability, I know Opera will fix it as soon as they can, but I have to correct Ian Johnston.

    I don't know when you last looked at Opera but it's been very usable since v6 and virtually perfect since v7. I've been using it as my browser for over 5 years now and, on odd occasions I use other people's computers, I miss Opera's speedy response and mouse gestures. For a while I did, occasionally, have to resort to IE for web-pages designed by idiots who use M$'s bastardisation of web standards but that is virtually unheard-of these days. I can't remember the last time it crashed (so "a few pages" is just bollocks) but on the odd occasion it has bombed-out at least you can return to exactly where you left-off.

    If you haven't used Opera recently, give it a go, it blows all the others away.

  27. breakfast
    Paris Hilton

    @Ian Johnston

    Your experience of Opera is so utterly and diametrically opposed to mine that I can only assume you are doing it wrong.

  28. Mark Rendle
    Joke

    Bored now

    First Microsoft are mean, now Mozilla are mean... am I the only one wishing the fat lady would sing?

  29. Mark

    "You think ONE DAY is enough to analyse a security issue?"

    If you have POC code, then five minutes is enough to analyse a security issue:

    Are we vulnerable?

    Yes/No.

    At the very least you can find out where your code does X that is flawed and either tell users about it (so they can not do whatever it is that makes X happen) or close off just that one vector.

  30. Spearbox
    Pirate

    Hurrah

    Firefox users unite once more to bash Opera. Grats, you just sunk to a new low.

    Personally whether you all like it or not, Firefox knew about this a significant while back - as linked before. They chose only now to notify Opera. Fair enough they notified Opera when they didn't have to but why notify them 24 hours in advance and not when they had it first reported?

    Opera have 24 hours to roll out a huge number of the versions they have available to the candidate, after fixing and documenting the bug. Mozilla has taken 3 months to fix it.

    24 hours? Imagine how huge their email inbox will be and here you are jumping on your bandwagon spitting out your flamed responses like kids who've been deprived of a lollipop. You spit on microsoft, scorn at Bill Gates, and waggle your behinds like adolescent teenagers at Opera.

    You lot should be ashamed of yourselves.

  31. Stuart Van Onselen
    Joke

    Duel

    Opera fan-boys vs Mozilla fan-boys at dawn: 20 paces, armed with vulns-lists.

    I'd pay to see that. :-)

    (Later in the day, we'll get to see the vi vs. emacs annual soccer game, followed by the Mac/Linux/PC 3-way cage-wrestling bout.

  32. Allan Rutland
    Joke

    Am I the only one...

    who noticed those evil other browsers suffered from something the wonderfully secure and shiny IE didn't... :P

  33. A J Stiles
    Linux

    You Get what you Deserve

    and if you use *any* software whose Source Code hasn't been independently audited, then you deserve what you get.

    The day Opera un-cage their Source Code (and they'll end up having to do so by law, one day) is the day I'll be interested in anything they have to offer.

  34. Anonymous Coward
    Anonymous Coward

    In Summary...

    1) Opera have valid beef with this, Mozilla knew about it weeks ago and should have given more than a days notice before scoring a 'one up' security goal against a competitor browser.

    2) Opera is more secure than FF. (as above comments)

    3) Opera renders quicker than FF. (proof in the pudding)

    I'm not a fanboy of anyones, these are merely the facts. I use IE, FF and Opera in different situations and happen to find Opera to also have the most useful feature with it's speedial page.

    Everyones different but if you havn't tried Opera recently I'd recomend at least giving v9.25 a go. (avoid 9.5b beta, it is still very buggy).

  35. Fluffbucket
    Alert

    It's sad to see all the ignorant and venomous remarks that totally miss the point

    Wow, some people here are really clueless.

    "One day should be more than enough"

    Really? Someone talked about how the Linux kernel got a fix in a day. A fix for TESTING! A bugfix ready for testing does not mean that it is ready to be deployed in a finished product! There's more to fixing a bug than writing some code and compiling, you know.

    "Why expect competitors to alert you of flaws?"

    Because this is what *MOZILLA* wants other browsers to do to them! They are big on "responsible disclosure"! They preach it all the time! But this time they did not practice what they preach or expect other browsers to do to them.

    @Andy S. - All browsers have major bugs. Look at the memory leaks in Firefox.

    @Futaihikage - What, if they have time to briefly mention Mozilla's irresponsible disclosure, they also have the time to analyze the problem, plan the fix, write the actual code to fix it, do the testing to see if the flaw is really fixed, and then test for regressions? All of this could have been done in the same amount of time they took to write a paragraph about Mozilla's irresponsible disclosure??

    @Matt Caldwell - Opera has a better track record than Mozilla for fixing security holes, as a matter of fact.

    @Paul - Actually, Mozilla can often take its sweet time. There was a chrome:// flaw which was open for what, five years? Opera has a better track record. And Mozilla could have released the fix without giving out all the details on the flaw. You know, like other browsers do when more than one browser is affected.

    @Alan Donaly - Opera has been responsible when they have found bugs that affect Mozilla. Mozilla who keep preaching about "responsible disclosure" could have returned the favour.

    @stizzleswick - When did Opera take too long to fix security bugs? And the complaint is NOT THAT MOZILLA FIXED IT FIRST. It's that MOZILLA NOTIFIED OPERA ONLY A DAY BEFORE THEY DISCLOSED ALL THE DETAILS. The problem wasn't the fix, but the irresponsible disclosure.

    @Ian Johnston - Opera has been around for more than a decade and is in fact the leading mobile browser.

    @Chris - "FF announced it almost 2 months ago to the world" - no they did not. They announced it when they released their fix.

    @Mark Rendle - What do you mean by mean? The point is that Mozilla keeps yelling about responsible disclosure and yet they are hypocritical in this particular situation. And all Opera did was to write a couple of sentences about it on a blog where 9.26 was announced.

  36. Paul Williams
    Pirate

    Disclosure

    Just because a flaw has not been disclosed does not mean that it is not being actively exploited. I would rather they disclose imediately than contiune using the software not knowing about it. I cannot mitigate or evauate how critical a problem is to me if they don't tell you about it whereas I can if they do. Keeping flaws quiet does not benefit the users of the software as if it has been found by a security researcher it may already have been found and exploited for malitious use.

  37. Chris Cheale

    Opera... shiny

    Just a thought - Mozilla gave Opera the heads up 1 day before releasing the patch on Firefox (and presumably Seamonkey) but they'd known about it for yonks... what exactly stops Opera from keeping an eye on FF's bugzilla? Had they done that they'd have known about the vuln as well.

    Both browsers render in a similar manner, they're both pretty well standards compliant - they're solving the same problems using the same "rules", it's not exactly unthinkable that they both _might_ occasionally make the same mistakes; the programmers are only human after all.

    My tuppence worth, as a browser Opera (9) is the best out there - better than Safari, Firefox and IE (although to be fair I'd rather use Lynx than IE for the most part) - that is, from a "normal" user perspective. Mouse gestures, magic wands, quick dial and even some of the silly widgets are quite nice.

    From a developer point of view I tend towards Firefox; WebDev toolbar, Optimoz tweaks (inc. mouse gestures), Venkman JS debugger, Tidy, Table2Clipboard (one of the most useful extensions ever when you need to deliver reports in a spreadsheet) and well... Bork Borkl Bork! You can "translate" any webpage into Swedish Chef speak - utterly pointless but fun for maybe 20 minutes.

  38. Stuart Van Onselen

    @Fluffbucket

    Like I said, why would a good fan-boy let a little thing like "facts" ruin his orgy of mockery? The essence of blind adoration is to prefer "truthiness" over "truth".

    (And that goes for fan-boys on ALL sides of EVERY religious war, please note!)

  39. Mark

    @Allan Rutland

    Aye, it would be hard to know WHAT IE vulnerability that allows access to the local machines' files would be one that was because of THIS particular vuln.

    Talk about finding needles in haystacks!

  40. Fluffbucket
    Thumb Up

    @Chris Cheale

    "what exactly stops Opera from keeping an eye on FF's bugzilla?"

    The fact that Mozilla's security bugs are hidden until they have released a fix perhaps?

  41. Ilgaz Öcal
    Thumb Down

    Another reason to boycott Firefox

    All I hear about Firefox these days: Looking for excuse to send your private browsing data to Google, Abandoning Thunderbird because some biG mail provider didn't like the fact that people use that client instead of web browser, trying to undermine small company coded browsers.

    Open source and free? Limewire is, too.

    Not a huge fan of Opera especially because they refuse to support OS X Keychain but, it doesn't deserve this. Try posting a previously unknown, not yet fixed Firefox issue to their "non official" web forums at Mozillazine, see what happens.

  42. Anonymous Coward
    Anonymous Coward

    Doesn't surprise me at all.

    I used to beta FF2 until I came across a usability issue which dropped my productivity down below that of IE so naturally I raised it and kept raising it. I dared oppose the godo crew! I was villified, told to go and use another browser etc. In the dialogues it became apparent that the majority of the crew are little progressed beyond script kiddie mentality. This is just another example.

    Oh and I did find another browser that I use by choice over FF2.

  43. Matthew
    Heart

    @The Reg

    Anyone done a report on Reg Readers' favourite browsers?

    I'm sure it would produce interesting reading, and probably feed the flames...

    I'll put myself firmly in the Opera club. I went off Firefox some time ago.

  44. Patrick O'Reilly
    Black Helicopters

    Fair is fair

    From the sounds of things Mozilla really weren't mediumup to the challenge were they?! 7 weeks to fix the flaw, medium as it was. If it really was complex enough that Almight Mozilla needed SEVEN WEEKS to fix the flaw then no wonder Opera were pissed that their users were put at risk with only 24 hours notice!

    Oh yea MiniMo I used that, it was so slow and 'clunky' that it rendered my PDA virtually unuseable, but surprisingly Opera Mobile put hardly any load on the system.

    See being a private company Opera can as good as guarentee their customers a secure product (under SLA of course) otherwise they can get sued! Mozilla has no such headaches or fire if you will.

    BTW How's that Acid2 compliance coming along for you guys?

  45. Matthew
    Heart

    Opera have fixed it already!

    Version 9.26 (released today) closes this vulnerability. I found out when I opened Opera this morning.

    Hmmm. Reported on the 18th Feb, complained about short notice on the 19th and closed vuln on the 20th. And they're being complained about as slow?!

  46. Steve

    And...

    now it's fixed, as Opera usually does, quite quickly too. No idea what the fuss is all about, there are some good and bad browsers out there, theirs is the best if you care to learn it imho. A lot of homegrown hype about Firefox seems to get the attention, Opera was remiss initially about requiring folks pay for it. Regardless, Opera, Konqeror, SeaMonkey, all good stuff.

  47. Steven Swenson
    Stop

    @Ilgaz Öcal

    "All I hear about Firefox these days: Looking for excuse to send your private browsing data to Google"

    Edit > Preferences > Security tab.

    [X]Tell me if the site I'm using is a suspected forgery.

    *Check using a downloaded list of suspected sites.

    *Check by asking [Google] about each site I visit.

    Oh, you mean -that- excuse to send your browsing data to Google?

    How sneaky of them. Hiding it right there in your preferences.

  48. Steven Swenson
    Thumb Up

    @Patrick O'Reilly

    Acid2 compliance is coming along nicely actually. In Firefox2 Acid2 renders much better than the convoluted render in IE7. I've heard Firefox3 renders it perfectly. IE8 also apparently renders it perfectly, though I hear you're going to need a special meta tag to turn on IE's "compliance mode". A tag that I don't think is included in the Acid2 test page...

This topic is closed for new posts.