Asa Dotzler: Firefox and more

The I.E. data is a bit less concerning to me because Microsoft continues to provide security updates for I.E. 6, making it less concerning that users update to I.E. 7.

Ah, priorities. I'm coming at this from a web developer's perspective, rather than a security perspective, and I want as many IE6 users to switch/upgrade as possible, as quickly as possible.

According to this Opera 6.x looks more secure than Firefox 2.x.

^ Nope, that just means Opera is much better at being secretive and covering up potential flaws. For all their users know, there could be a hundred times as many exploits in it. :)

One problem with Safari updates on the PC is that like Quicktime, it doesn't just apply a patch but does a full download of the entire new version and does a re-installation. This makes my shortcuts non-functional and the downloads are pretty big > 50MB. If they had a nice update function like Firefox, I would be more apt to do it instead of just doing Quit when the update box comes up.

The development priorities of the Opera team often leave me baffled. If memory serves, they hinted at an automatic update system, like half a year ago, on their blog...

Kelson, there are a million good reasons for people to move to newer browsers, security and Web standards compatibility are certainly high on my list. From a developer perspective, seeing IE 6 disappear is definitely huge. From a user perspective, though, staying safe online is critical, not just hugely important.

HaRT, you're comparing apples to oranges. Secunia is a list of mostly vendor disclosed security issues. Opera does not disclose the majority of its security issues and has a record of lying to their users about security fixes. Mozilla discloses all security issues. The comparison is meaningless.

Boberetzeke, yeah, the experience on Windows for Safari users is less than ideal. But that's not a big deal because there are very few of them, considerably fewer than even Opera.

Stifu, the critical need for a simple and automatic update mechanism was known to Opera years ago. I wrote about it a year and a half ago and their PR people talked about my blog post in press interviews. So, it cannot be said they don't know about the issue. That only leaves prioritization as the reason. Apparently it's more important to ship shiny new features than to protect their users in this most basic and critical way.

- A

Oh boy, you all got me started on this one.

Again, it's the Gonzo journalism that takes the story of Firefox being the most secure browser at face value. According to a new study from researchers at Google, IBM and ETH Zurich, there are about 637 million Google users surfing the Internet with a vulnerable Web browser.

Hey have I got news for you, Opera users don't use Google but Yahoo. The ones who do are morons and fouling up the statistics. If you are so keen on finding the real truth I encourage you to search for the SecurityFocus analysis that shows that Opera is on top of every game.

You are being the biggest moron off all time when stating this phrase:

"Wow. That's a pretty stark difference. I'm not surprised to see Opera so low, considering their lack of a simple and efficient update mechanism."

Did you ever run Opera you frigging moron? it automatically notifies updates just like any other browser.

Asa Dotzler continues:

"Opera Software should not ship another major release until they have a similar [automatic update] program in place."

Rub that sand out of your face you fool and look at your own unstable Firefox 3.0 release that automatically makes it your 'default' browser without the users consent, hey that reminds me of Internet Explorer!

Hey have I got news for you, Opera users don't use Google but Yahoo. The ones who do are morons and fouling up the statistics

1. Opera's default search engine is Google.
2. Do you believe Opera users preferring Yahoo over Google are morons because a company keeping security issues hidden is "cool"? Quite Operish, indeed...

Opera: http://secunia.com/graph/?type=sol&period=all&prod=10615
MSIE7: http://secunia.com/graph/?type=sol&period=all&prod=12366
Firefox: http://secunia.com/graph/?type=sol&period=all&prod=12434

Say Again?

[quote]Opera does not disclose the majority of its security issues and has a record of lying to their users about security fixes.[/quote]
and that's based on information from where exactly?

Rather than focus on the elephant in the room (IEx) this blog is a continual pathetic attack on what should be an ally - Opera (and Safari). Co-opetition and a move towards standards should be an end goal rather than a binary winner takes all approach. Really sad.

yesMe, you can ask Opera yourself. They've confirmed on several occasions that they do not disclose even the existence of security vulnerabilities that they find internally. They only disclose vulnerabilities found by 3rd party researchers who (rightly) demand credit for their discoveries.

Isn't it a bit odd that Opera employees have never found a security bug in their own product?

You won't find any security vulnerabilities at Secunia or in Opera release notes credited to Opera employees (or to Apple employees for Safari.) That's proof enough for most people that they don't disclose internally discovered problems -- or you could assume that they're incapable of or uninterested in finding bugs themselves (and no, you cannot assume that means they don't have bugs because 3rd party researchers who don't even have access to the code find plenty of security bugs to prove that Opera has security bugs.)

As for lying to their users about security fixes, see this incident for an example: http://weblogs.mozillazine.org/asa/archives/2007/01/opera_fails_to.html

"You are being the biggest moron off all time when stating this phrase:"

I think I'll let that comment stand on its own.

Michael, Microsoft actually does a significantly better job at keeping their users up to date with security fixes. See, unlike Opera which doesn't have an automatic update mechanism, Microsoft does and they use it to keep both their IE6 and IE7 users up to date with their latest patches. Sure a lot of users haven't moved to IE7 yet, but IE6 is still maintained with security updates so that's not as big of a problem. If Opera still maintained security updates for Opera 9.2.x after shipping 9.5x and delivered security updates to both groups of users in a timely fashion using an automatic update system, that'd be great and I wouldn't have even brought the up. But they don't do either of those things. They don't support older versions and they don't have a good mechanism for moving older version users to newer versions quickly.

This study wasn't about all of browser security. It was about how up to date a vendor can keep its users with its own security patches. Opera fails miserably because they lack the automatic update system that all the other browsers have.

Opera is quite aware of this shortcoming and they've done nothing about it. It's been several years that they were the only browser without this critical security feature and yet they've spent countless hours and dollars on all kinds of features other than this critical one.

Just as I called out Safari for their bullying tactics with the Windows "Update" that installed _new_ software, so I'm going to continue to call out Opera for failing so miserably on this feature.

It is completely irresponsible to give people a browser in this day and age without it having automatic security updates. It's damn near criminal and Opera Software needs to do something about this critical deficiency yesterday.

@rvdh:
Your post says it all, calling names only works in elementary school, if you can't communicate in a mature way please ask for help, you should not be ashamed for being in therapy, and by the way those numbers means nothing, what part of "Secunia is a list of mostly vendor disclosed security issues. " you didn't understand, I don't know why all opera trolls are the same, making the same points again and again and never listen when you offer a different point of view.

@yesMe:
http://www.heise-online.co.uk/security/Opera-patched-in-secret--/news/83279

@Michael Payne:
I don't why all Opera fans are so sensitive, always playing victim, there is nothing wrong with pointing shortcomings, you have to take it as a chance to improve, like Firefox 2, the memory management and general stability sucked big time for me, but Mozilla learned and fix the problems, why Opera can't do the same instead of crying and whining

@Juan Zamudio

Why do you assume I'm an Opera fan? Waaa waa, cry cry, whine, whine.

For as thick as Asa lays it on and for as much as we Opera users love to hate him (with reason). Asa's correct, despite the update check in Opera people are too stupid and/or lazy to manually update. Microsoft and Mozilla have realised that IE and Firefox users are that stupid and/or lazy. It's about time Opera ASA realised it has users that stupid and/or lazy.

@Bleeding Heart: It is always easy to blame the users. Fact is, most users are neither stupid nor lazy - they just have other priorities. They want a browser that can browse the Internet, and Opera 9.2 is just as good at this as Opera 9.5. Expecting a user to make security *his* priority and invest time into keeping his software up to date - that's what is stupid. Software update should take one click (at most), everything else is wasting user's time and only makes people ignore updates because they have more important things to do.

Note that we aren't talking about security researchers or geeks here - we are talking about "regular" people who might be using the browser only for a few hours per week, or who might be using it for work only. You cannot ask them to spend twenty minutes on installing updates and that's regularly.

http://secunia.com/advisories/27277/

"Provided and/or discovered by:
[...]
3) Reported by the vendor."

Found in three minutes of searching.

So much for "Opera never discloses security issues they found internally."

But bashing is only half as fun as long as it isn't blurred by facts, isn't it?

If thay are using said software for anything important. They are stupid and/or lazy for ignoring the updates.

OK maybe they are just ignorant but then surely that ignorance comes from being lazy. The information is there, even Opera (with the worst update system, at least on Windows) tells people there is an update ready, the same message takes them to a download page.

If they can navigate the Internet they can click a few buttons to update.

If 43.9% of Opera users find 9.2 to be as good as 9.5 then Opera ASA have failed somewhere else.

@wupperbayer

The "Original Advisory" (all opera.com) credit those to:
"Thanks to Michael A. Puls II for reporting this issue to Opera Software."
"Thanks to David Bloom for reporting this issue to Opera Software."
"Adobe security advisory APSA07-05 (CVE number: CVE-2007-5476)"

@Synonymous: OK, I didn't looked into Opera's advisory. So what about that one: http://secunia.com/advisories/26477/
(Opera's advisory: http://www.opera.com/support/search/view/865/ )

Yes, it was found by using Mozilla's fuzzer tool. But it was found by Opera employees, so that issue shouldn't be mentioned if Asa was right.

My point is certainly not that Opera's notification about a new browser version is good. It is anything but that (although Bleeding Heart has a good point). My point is that Asa makes wild guesses about what Opera disclosures to make its advisory footprint somewhat untrustworthy. Why don't just accept that Opera has fewer known security issues? From my point of view Firefox is a far better target as it has more users. So it's not a big surprise that more people try to find security issues in Firefox than in Opera. That would be a perfect legit point for Asa, but instead he tries to make other browsers look bad. Does Firefox need this? In my opinion, it really doesn't.

David Bloom works for Opera. So much about Opera employees not getting credited for discovering bugs

You do realize, don't you, that the most recent version of a browser cannot be compared to another browser for comparison of security. You do realize, I hope, that a fully patched Firefox browser would have remained at risk for a highly severe vulnerability which can remotely take over your computer for the past 12 days. You also do realize , I hope that the first process is to make good bug free code. It is a matter of concern that so many vulnerabilities of Firefox are being found out by EXTERNAL sources (I would have had a lesser issue if those were from internal fixes, because that may have been due to better audit). While Firefox can boast of a good patch delivery mechanism, it fails in the first test for writing good secure software- that of providing good bug deficient (not bug free, no software can truly provide bug free code). First live up to your boast of providing a software which won't require rapid,repeated patching, then fix all issues fast, only then can you boast of being a secure browser! And by the way, any browser should have the ability to block scripts from specific sites, (and make white and black zones) from within the browser itself. Any browser which needs an extension( No-Script) to do the same is intrinsically lacking in a security feature, and is not as security conscious as they would like others to believe.

Opera's Linux support is pretty good - they provide RPMs, .debs and .tar.gz's and with 9.50 onwards, both 32-bit and 64-bit versions - none of which Mozilla does for any of the Linux versions of its products.

Where Opera fails on Linux though is exactly what Asa alludes to - they've failed to supply a proper repo setup for their RPMs/.debs so that a Linux distro's update mechanism can fold in Opera updates into general Linux updates.

Until they do that, Linux users are always going to lag with Opera releases, especially since very few Linux distros include it in their repos/initial install due to its closed source nature.

@yesMe: David Bloom works for Google: http://www.linkedin.com/in/dbloom

@Wladimir: He does now, not at the time those security issues was discovered.

@Richard Lloyd -- since so many Linux distributions include Firefox, I think it's a little less important for Mozilla to provide RPMs and the like. Sure, they may lag a bit in major versions, but most of the distros I've followed seem pretty good at releasing updated packages for security releases. I guess you could say it's outsourced?

I am impressed at the way Opera has simplified the packaging issue by creating essentially a 3D matrix of shared/static, package format, and architecture, then mapping distributions to the best package. But I agree, I'd really prefer a yum repository that I can just point at and let it update with the rest of the system, like Adobe does with Flash. I'm told they have an apt repository, at least.

P.S. I apologize for any incoherence in this post, as I'm still waiting for my coffee to take effect.

> Nope, that just means Opera is much better at being secretive and covering up potential flaws. For all their users know, there could be a hundred times as many exploits in it. :)

It's meaningless to talk about "potential flaws", since for all their users know, there could be a thousand times as many "potential flaws" in Firefox anyway. And those "potential flaws" are NOT exploits, you are wrong to talk them like the same thing. Security exploits are exactly that, exploits. That means if no one knows about the flaws and no one exploits them, then they are not exploits.

It's meaningless to talk how many "potential flaws" in a product, for codebase as big as Opera and Firefox, there bounds to be thousands of bugs/flaws/holes somewhere in those millions of lines of codes. The only thing matters here is how many of those flaws are discovered by people, thus becoming exploitable, and how well those exploitable flaws are fixed.

I just read about the security features for Google's new browser, Chrome. It says, "Google says that each tab runs in its own
"sandbox," so that if there's nasty spyware-type software
running on one Web site, it has no access to the rest of
your computer, or even the other tabs." Does anyone know if firefox has the same security features? If not, how can I continue using Firefox without compromising my security?

I just read about the security features for Google's new browser, Chrome. It says, "Google says that each tab runs in its own
"sandbox," so that if there's nasty spyware-type software
running on one Web site, it has no access to the rest of
your computer, or even the other tabs." Does anyone know if firefox has the same security features? If not, how can I continue using Firefox without compromising my security?