Opera Software may well be putting its browser users at risk by not properly
disclosing security vulnerabilities to vulnerable users.
At least that’s the allegation made by Mozilla Corp.’s Asa Dotzler. According
to the security research firm that discovered the recent Opera
vulnerabilities, Opera’s security disclosure practices are no better (or
worse) than most vendors’.
Dotzler alleges that Opera downplays the severity of its security
announcements, which come weeks after a new product release.
“Now, let me make this clear up front. I am not claiming that they should be
releasing the explicit details of their fixes or specific information about
how to exploit the unfixed versions of the browser,” Dotzler blogged.
“But not telling the user that an update is a critical security update and that the unfixed versions of the browser are vulnerable to remote attack is just
wrong.”
Opera software did not respond to requests for comment from
internetnews.com by press time.
A pair of highly critical vulnerabilities was recently made public by Opera.
Both of the vulnerabilities were reported to Opera by Verisign’s iDefense
security division. The vulnerabilities affect version 9.02 of Opera and
could potentially have led to the execution of arbitrary code if exploited.
Version 9.10 of Opera, which was released late in 2006, fixes the issues. The
official changelog for
Opera 9.10 does not make explicit mention of the security fixes for the
iDefense-discovered flaws, nor is there an indication that
users should move to 9.10 to fix the security flaws.
Mozilla’s Dotzler argues that even Microsoft does a better job of revealing
to its users that a flaw existing in a previous version of an application
and that an upgrade for security reasons is necessary. Dotzler had some very
strong words for Opera about its apparent lack of disclosure.
“This is an unacceptable practice for any company that makes Internet-connected software — and when it comes to browser makers, it’s hard to call
it anything other than negligence,” Dotzler wrote.
Despite the harsh words, Opera’s actions may well be
the norm rather than the exception.
“I believe Opera do try to downplay (and possibly hide the problems) in some
cases, just as MOST vendors do,” Frederick Doyle, senior intelligence
analyst at VeriSign-iDefense, told internetnews.com. “For example,
they have attributed some vulnerabilities we have reported as ‘stability
issues.'”
Opera didn’t exactly drag its feet in response to iDefense’s discovery
either. According to iDefenses’s Opera advisory, initial notification of the
security vulnerabilities was made to Opera on Nov. 16, 2006. Opera
responded the next day, and a coordinated public disclosure
occurred on Jan. 5, 2007.
“I would say they are slightly better than average, as they do fix
vulnerabilities in a somewhat timely manner,” Doyle said. “Although we
had some issues with getting them to address things a while back, they seem
to have gotten better with our recent reports to them.”
