Good words, bad intentions

Booo Asa!!!

That’s one of the good reasons for Mozilla disclosing the full set of vulnerabilities we find. It can help other vendors test their browsers too. If we kept our findings secret, then whole categories of attack might not ever be tested by other browser vendors and those users could be at higher risk.

I agree with you that this sounds like a case where Opera (and Safari and IE) have determined that announcing all of their security vulnerabilities would lead to some bad press and it would take away much of the “we still had fewer vulnerabilities reported than Firefox” argument — which, if my suspicions about Opera and others not disclosing all security bugs is correct, is a completely fallacious argument.

- A

Suppose there is a vulnerability found by some Opera Dev, and fixed. If they write in the changelog what they found, it will make all those Opera users vulnerable that don’t read changelogs and that don’t update their browser. Of course, that argument is controversial since vulnerabilities found by third parties are disclosed in the changelogs. But here the deal is “give and take”, i.e. the finder of the vulnerability can only be credited if the vulnerability is disclosed, creating the incentive to report security issues.

I am not familiar with the way that internally found vulnerabilites are treated at Mozilla. I would guess that because of its open-source nature, the information would become public sooner or later anyway, so you could as well put the info in the changelog.

Now I really don’t want to defend Opera here, I’m just guessing why they might treat reporting those issues differently. I think Opera should (at least) mention that they found a security issue internally, without disclosing any more information about it. As a user I’d know when an update is security relevant, and Opera users that don’t update wouldn’t be more vulnerable than before, i.e. no change as compared to now.

So I agree with Asa (do I?) that the policy of disclosing only vulnerabilities found by third parties sounds a little like “would be bad advertising if we announced every security leak we find”.

If you look at the list of Secunia reported vulnerabilities fixed in Firefox, you’ll see that the overwhelming majority of them were discovered and reported to the public (and Secunia) by Mozilla people. There are a few Firefox vulnerabilities discovered by Secunia researchers, but nothing like with Opera where nearly all of the Opera vulnerabilities were discovered by Secunia researchers (or researchers from other security groups like iDefense.)

So, it’s pretty clear from looking at Opera’s and Firefox’s changelogs and Secunia lists that Firefox disclose internally discovered vulnerabilities and that either Opera doesn’t, or they don’t find any on their own.

Either one of those alternatives should cause Opera users some concern.

If you’d be so kind as to get someone from the Desktop team to respond to my question, that’d be great. Thanks.

- A

You highlighted something that I think has been missing from the conversation (both on my end and on Opera’s.) As you quote, Borg said “Not just because it has the most published security fixes, but also because we constantly improve stability and user interaction to prevent potential future attack vectors.”

I’ve read over his comment several times and since you highlighted it here, I’ll post here rather than at my blog. Here’s how I read that statement: “Don’t update simply as a response to our *Published* security fixes. Assume there are *unpublished* security fixes in every release.”

I could be reading way too much into his comment, maybe you can set me straight.

What I’d like to know is this: When Opera ships a new release, does Opera disclose all fixed security vulnerabilities, including those that were discovered in-house that would not otherwise be disclosed by the third party security researcher, and ?

At Mozilla, when we ship a new release, we disclose all vulnerabilities fixed in that release, not just those found by third party security researchers (where one obviously has to disclose because if a vendor didn’t, the outside security researcher probably would.)

The reason that I’m suspicious is that I can’t find any record of fixed vulnerabilities in Opera that were not credited to third parties. If that is indeed the case then it would seem that either Opera engineers and QA are not terribly effective at finding security problems in the Opera code, or Opera doesn’t disclose the flaws discovered in-house.

Will Opera go on the record saying that they disclose all fixed security vulnerabilities and not just those found by third parties?

- A

I have no issues with Opera holding back on the security aspects of 9.1. I trust Opera completly on the security issue. They have certainly earned it! The question I have is why some companies, Verisign and others I would assume, would want to hold withhold the information that a fix for a known but unannounced security hole has been released. It certainly makes sence to not announce a security hole prior to the fix being in place. Not everyone upgrades their browser right away. Why would Verisign want to delay the announcement? What do they get by holding off a few days?

The problem would be if people who went to the download page and saw no mention of security fixes decided to not get the update for that reason.

For those who, like Asa, who want to know what changes there are in your browser, you can wait to update your browser. No one forced you to go 9.1 the day it was released.

I wish Asa wasn’t so immature and ignorant of how these security vulnerabilities are published. He’s an insult to Mozilla.

One quibble on this: from what I read on the desktop blog, I got the impression it wasn’t an intentional omission so much as a vacation-caused mix-up.

As for leaving them off the changelog due to coordinated disclosure: it’s standard practice among many vendors to list simply “Security fixes” and add details later with the actual disclosure. I think most of the people complaining would have been satisfied with that. (Some wouldn’t, of course. I remember times Mozilla got flak for not providing details the moment the release notes with “security fixes” were posted, and it took them 48 whole hours, OMG!!! And then there’s the full disclosure crowd, who would have wanted details posted back in November…)