Handling Security
By csant. Monday, 8. January 2007, 17:24:33
Recently, some of our users have asked why we chose to disclose a potential security issue only after the release of Opera 9.10. Let me try to give a short overview on how security issues get reported and disclosed - and not only at Opera, but in most applications: it might help some people to understand how this works.
When somebody discovers a vulnerability in an application, they should report it to the vendor. It can happen that the reporters give a deadline by when they want to make full disclosure of the vulnerability, but usually the reporter and the vendor work out a disclosure date that makes both happy. If the exploit is not clear, both work on details and a PoC (proof of concept). When a fix has been made and a public release is available, both the reporter and the vendor publish an advisory. The vendor usually credits the reporter in the advisory for the discovery of the vulnerability.
It is important that both parties do respect each other: if a fix is included also in development snapshot builds that reach a public audience (like the weekly builds on this blog), fixes for the vulnerability are not announced: this is a form of respect both for the reporter and for all the users that only upgrade to stable releases. Making the vulnerability public knowledge before a stable version fixes the issue would leave lots of users vulnerable. Serious reporters do not announce vulnerabilities before vendors have a fix in public builds - and vendors do not announce vulnerabilities before the reporters make their discovery public, in order to properly credit them.
Sometimes it even happens that we do not mention issues in our changelogs even though we have fixed it - because we are waiting for other vendors to fix the same issue in their products.
Yngve posted a while ago a nice summary of what exactly a security issue in a browser really is. Let me further stress what he already wrote: we do take security very seriously at Opera, and carefully analyze and evaluate every security issue that is reported to us. It can happen that the severity of an exploit is upgraded by our internal security team at a later stage, since further analysis shows that the original severity was not accurate: our priority is to first fix the issue; further and deeper analysis happens even after that, and sometimes can rectify initial findings.
So what you have been seeing with the 9.10 release and the delayed announcement of two vulnerabilities is an unhappy coincidence of the release and the Christmas vacation. Happy new year to all, and enjoy safe browsing - and remember to upgrade to 9.10 if you haven't done so yet.
When somebody discovers a vulnerability in an application, they should report it to the vendor. It can happen that the reporters give a deadline by when they want to make full disclosure of the vulnerability, but usually the reporter and the vendor work out a disclosure date that makes both happy. If the exploit is not clear, both work on details and a PoC (proof of concept). When a fix has been made and a public release is available, both the reporter and the vendor publish an advisory. The vendor usually credits the reporter in the advisory for the discovery of the vulnerability.
It is important that both parties do respect each other: if a fix is included also in development snapshot builds that reach a public audience (like the weekly builds on this blog), fixes for the vulnerability are not announced: this is a form of respect both for the reporter and for all the users that only upgrade to stable releases. Making the vulnerability public knowledge before a stable version fixes the issue would leave lots of users vulnerable. Serious reporters do not announce vulnerabilities before vendors have a fix in public builds - and vendors do not announce vulnerabilities before the reporters make their discovery public, in order to properly credit them.
Sometimes it even happens that we do not mention issues in our changelogs even though we have fixed it - because we are waiting for other vendors to fix the same issue in their products.
Yngve posted a while ago a nice summary of what exactly a security issue in a browser really is. Let me further stress what he already wrote: we do take security very seriously at Opera, and carefully analyze and evaluate every security issue that is reported to us. It can happen that the severity of an exploit is upgraded by our internal security team at a later stage, since further analysis shows that the original severity was not accurate: our priority is to first fix the issue; further and deeper analysis happens even after that, and sometimes can rectify initial findings.
So what you have been seeing with the 9.10 release and the delayed announcement of two vulnerabilities is an unhappy coincidence of the release and the Christmas vacation. Happy new year to all, and enjoy safe browsing - and remember to upgrade to 9.10 if you haven't done so yet.
You must be logged in to write a comment. if you're not a registered member, please 
I had to move away from 9.10 and back to build 507 'cause of some other Opera-related bugs and I'd like to know what to look for.
By kennycrudup, # 8. January 2007, 17:35:02
By kyleabaker, # 8. January 2007, 17:46:41
where is the new build?
By _artem_, # 8. January 2007, 17:51:11
By arghwashier, # 8. January 2007, 18:06:45
Any way when are we getting Opera 10?
Its almost a year since we had Opera9 beta 2 build released. Since then I have been following Opera very closely. Looking at the past year dont u think sumthing is really due for us? Opera a has aleardy taken a small step, I'm waiting for that giant leap.
By impotent, # 8. January 2007, 18:07:22
waiting for the new weekly build.
By Ahui886, # 8. January 2007, 18:08:26
By Kuja IX, # 8. January 2007, 18:19:57
http://www.opera.com/support/search/supsearch.dml?index=851
http://www.opera.com/support/search/supsearch.dml?index=852
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=457
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=458
By Indyan, # 8. January 2007, 18:47:33
By Vempire, # 8. January 2007, 19:06:25
By rxbbx, # 8. January 2007, 19:14:21
When I begin download file(s) in Opera Browser I can't write(in Opera Browser) symbols:
-ż (on keyboard press: z and right Alt )
-ź (on keyboard press: x and right Alt )
-ć (on keyboard press: c and right Alt )
-ń (on keyboard press: n and right Alt )
-ł (on keyboard press: l and right Alt )
-ś (on keyboard press: s and right Alt )
-ą (on keyboard press: a and right Alt )
-€ (on keyboard press: u and right Alt )
-ę (on keyboard press: e and right Alt )
From letters(characters) accessible under right Alt I can write only ó (on keyboard press: o and right Alt ).
I can write all of this letters accessible under right Alt when I restart Opera Browser.
When I again begin download file(s) in Opera Browser, bug come back. In other browsers I can normally surf in Internet. This bug I checked in Opera 9 under Windows XP, 2000 and 98. In Opera in 8 version I don't find this bug. I have Polish keyboard.
I hope that You repair this bug in next version.
By sacud, # 8. January 2007, 19:39:56
Uh... when do we get the next build?
10 is probably going a bit far, but it should definitely not be 9.11 because of the psychologically negative associations that set of numbers has come to have. 9.2 would be the lowest number the next one should have. But of course we hope for something even more advanced. Uh.. I guess.
{explanation follows; you can skip to the last paragraph if you don't care.
I find that even though I use mostly 9.10 in my daily interactions with forums, for most of mY [yes, we're all different] rather simple browsing I find that some of the advances are unneeded. I still prefer 7.11b [build 2887][GASP. What a stuck-in-the-mud sort of fellow this 'firstnight' guy is.] with a modest number of customisations. [the only thing it lacks for me is opening links with the scroll button of the mouse.] With series 9, I have to customise a lot more, and I stiLL don't get centered display of opened images in user mode. But I can customise 9.xx to get 'save with images as' directly as my primary save mode. But it takes my time and work to do it.
I guess I'm hoping the next test version published for us here continues to address those security issues, and also provides customisation options to keep our personal most used basic functions simple with as few clicks as possible to get to the specific function each of us wants. That is always a challenge when adding new features and integrating them into the overall code organisation.
By firstnight, # 8. January 2007, 19:58:19
@impotent: Uhh, Opera 9 was a *giant* leap.
@ALL: Will you please try to stay on topic? Don't ask about Opera 10. Don't ask about the next weekly. Don't post random bugs. If you want to comment on this post, say something remotely related to security, please.
By Junyor, # 8. January 2007, 20:15:44
By Stevie1, # 8. January 2007, 20:19:57
You mention sometimes "because we are waiting for other vendors to fix the same issue in their products".
- First, was this one of those times?
- Second, I don't consider this an acceptable security policy - why should Opera users security be threatened (by not alerting them that Opera 9.10 has security fixes) just because Firefox X or IE version Y don't have such a security fix yet? Isn't one of the selling points of Opera its supposed security? If you're not going to disclose security information to your users in a timely fashion until Firefox fixes it, should I just use Firefox?
- Third, it would be good marketing for you to crow that Opera has is safer in feature X.
Ultimately the last paragraph seems to indicate that someone, somewhere screwed something up due to the Christmas holidays. Which calls into question how serious Opera really is about security.
And before all the Opera fanboys jump down my throat - I am a big fan of both Opera and Firefox, but I'm quite disappointed (so far) by how Opera flubbed this one (slashdotted, dotzler, etc all are making Opera look bad and shaking the confidence).
By jeff_schiller, # 8. January 2007, 20:52:58
I am running swiss cheese security, aka Windows, do I look like I care about a hole in my browser?
By klingoncowboy4, # 8. January 2007, 20:57:17
As for security, Opera is fine
By Knippers, # 8. January 2007, 21:11:30
That said, this was not the case this time
By csant, # 8. January 2007, 21:44:04
Good point, I have been considering buying Xandros. My brothers seem to enjoy Fedora, and I have heard good things for Ubuntu... anyways back to the original topic, Operatic Security.
By klingoncowboy4, # 8. January 2007, 22:03:31
By Rijk, # 8. January 2007, 22:42:34
By Helmers, # 8. January 2007, 22:45:39
By Junyor, # 8. January 2007, 23:31:17
Think on the bright side. This could be Microsoft. It took 5 years to update IE6. It took 14 months to go from IE6 SP2 to 7.0. How can you be complaining? Is 1 major version per year not fast enough?
By IceArdor, # 9. January 2007, 01:09:52
As a non -related note, I can no longer open url links in email messaged in gmail.... I think google has changed something, this is very bad.
By ferrisnox, # 9. January 2007, 01:52:25
Now, at the risk of repetition, for the next version can we please have a gargantuan bugfix effort. There are many, many outstanding bugs, some of which I imagine are fairly trivial fixes, and many of which have been around since the days of 7.0.
I'd also like to make the point that with the release of IE7 and FF2 Opera has never been in a better position to gain market share. Both of these browsers have had major problems with their increased standards support and browser engine features, resulting in many reconsidering their browser choice(s) (due, I'm guessing, to Opera's better incremental and piecemeal approach to the issue). One very positive outcome of these developments is a levelling of the browser playing field - the fact that all the browsers are having difficulties with correctly rendering many sites. The knock-on is that sites are being recoded to become more standards compliant and use less browser specific features; this leads to better site handling for all browsers, including Opera. Maybe now would be a good time for a marketing push?
Congrats on 9.10 and a happy new year to you all!
By sebt, # 9. January 2007, 02:39:50
By MossMan, # 9. January 2007, 06:45:32
Hi Desktop Team,
You do a fine job. Keep up the good work!
Please continue the Classic Installer line - this one is the finest ever, doing its work automagically in each and every case.
All the best in 2007 - can't wait for the next nightly, expecially after I have found that my newest Opera build 8679 running under NT 5.1 Sp2 takes 100% of the processor power waaaaay to often... and stays so
:-(
Java 6, of course.
Could not yet find out the exact circumstances; if I do, then I launch an official bug report.
Yours,
Yago
.
By yagotta, # 9. January 2007, 06:54:14
By GT500, # 9. January 2007, 07:38:23
By olli, # 9. January 2007, 08:51:23
Am I still vulnerable to the JPEG DHT exploit? Youse guys aren't just passing JPEG files to the library, and are processing some of them yourselves?
By kennycrudup, # 9. January 2007, 09:42:50
In particular, for maximum security you should *always* use the latest final version of Opera. Not just because it has the most published security fixes, but also because we constantly improve stability and user interaction to prevent potential future attack vectors.
To put it this way: We don't alert all our users about new versions to drive download numbers.
To your question:
- "If you're not going to disclose security information to your users in a timely fashion until Firefox fixes it, should I just use Firefox?"
No, you shouldn't. It's important for our common user base that we wait (within reason) for each other in such cases. If we screw up for Firefox users, they wouldn't wait for us next time if we need it...
By borg, # 9. January 2007, 10:07:11
It is possible to totally 'lock down' the security of windows, so that is not the problem!!!
- the problem is the major hole in this, the browser path.. and the less clue that people get, the less able they will be to hijack it...
And as for all of those 'driving without seat belts, just for non-safety reasons', have not seen the amount of red stuff everywhere that creates.....
By illiad, # 9. January 2007, 10:13:14
Originally posted by "sebt":
I hope so too, though 9.10 seems to fix many things already. Just a few details left.
By arghwashier, # 9. January 2007, 10:39:58
By toman, # 9. January 2007, 11:55:31
Originally posted by jeff_schiller:
The track record should speak for itself. And these flaws haven't even been demonstrated as being able to run local code in the first place - they were merely "moderate" flaws.
Originally posted by sebt:
Are you assuming that loads of bugs AREN'T fixed in other releases? That's not consisten with what Opera says.
By WhineWhine, # 9. January 2007, 12:03:21
Originally posted by "nelsson":
Everyone has their own pet bugs, most bugs that got fixed I never even noticed as bugs. 9.10 fixed my very long standing pet bug though
By arghwashier, # 9. January 2007, 13:09:35
By toman, # 9. January 2007, 13:57:57
Originally posted by "Helmers":
No, You mistook me - I can use this shortcuts before I begin download file. I can't use theirs only since when I start download file to end. Only outway in this situation is restart browser.By sacud, # 9. January 2007, 17:52:56
In general, I believe this, but you can't expect all your users to constantly be checking your website or Help > Check for updates religiously to learn of a new version. If there's an auto-notify feature in Opera, I've missed it until now, so apologies up-front.
It's also true that new versions of Opera introduce new features, which can introduce new attack vectors. That's why I kind of like the way Mozilla is doing things:
- auto-notify and auto-update feature is excellent now that it's working (since 1.5)
- each "branch" or release number (1.5, 2.0) can have security features released
Thus, if I'm comfortable with Firefox 1.5 (as a large percentage of users might be), I just stick with that and Firefox tells me when I need to update to Firefox 1.5.0.9 and then DOES IT FOR ME.
Anyway, I look forward to better handling of such issues in the future, as I believe Opera is the best core web browser out there.
By jeff_schiller, # 9. January 2007, 18:02:19
By jeff_schiller, # 9. January 2007, 18:05:34
By quiris, # 9. January 2007, 22:04:29
By rschultz2002, # 10. January 2007, 01:48:36
By olli, # 10. January 2007, 09:37:55
toman: The only way you will quiet these peeps, is to list the fixed bugs by number....
and as for those who 'cant keep up' with new 'product', it's not like you have to 'search' for it!! - I thought the problem was 'not enough' , not 'too many' !!
By illiad, # 10. January 2007, 09:43:40
The new adbrite login section doesn't quite refresh with ad approvals and refusals.
Button problems. Memory usage issues (top user as one file), and worth testing on Win98 a little I've heard some things I have forgotten, especially from bloggers and flickr users.
I still think it would be best if 98/ME or 32/NTFS(+XP)/and Vista be separate downloads.
Oh an idea: like Bellcraft's MASH system but integrated and more proprietary,
being used as a webpage reader from within the program as a disability option.
With bubbles, big letters, and voice (even off of v-xhtml) as a disability option.
Regards,
GZLFB(.com)
By Orff, # 10. January 2007, 15:25:13
By Kelson, # 10. January 2007, 17:20:55
By illiad, # 10. January 2007, 18:34:40
good info. thanks
By saulob, # 11. January 2007, 07:06:13
By kyleabaker, # 12. January 2007, 07:33:02
while opera has a good password manager, wand (i think it uses 168 bit 3DES), i think it doesn't use it properly, i will not talk about vulnerability like many third party programs like this http://software.techrepublic.com.com/download.aspx?docid=227587 provide as a helpful guidance (i doubt if 3DES is that vulnerable!), nor about some bugs like that it (opera-linux) doesn't ask for password each time i log on somewhere using wand though i configured it to ask every time needed, such thing works perfectly on opera windows (i think opera don't care enough about opera linux and linux users in general
but the very strange thing is that while M2 ask for password every time i use it (in ideal case), it is very easy to find all the mail as plain text on your hard drive!!!! no encryption applied! (even nor caesar cipher
another thing in my wishlist, i prefere if opera support multi user wand, i mean a wand account for many users, that would be great
By Khaled Khalil, # 12. January 2007, 12:20:16