Handling Security
By Claudio Santambrogio. Monday, 8. January 2007, 17:24:33
Recently, some of our users have asked why we chose to disclose a potential security issue only after the release of Opera 9.10. Let me try to give a short overview on how security issues get reported and disclosed - and not only at Opera, but in most applications: it might help some people to understand how this works.
When somebody discovers a vulnerability in an application, they should report it to the vendor. It can happen that the reporters give a deadline by when they want to make full disclosure of the vulnerability, but usually the reporter and the vendor work out a disclosure date that makes both happy. If the exploit is not clear, both work on details and a PoC (proof of concept). When a fix has been made and a public release is available, both the reporter and the vendor publish an advisory. The vendor usually credits the reporter in the advisory for the discovery of the vulnerability.
It is important that both parties do respect each other: if a fix is included also in development snapshot builds that reach a public audience (like the weekly builds on this blog), fixes for the vulnerability are not announced: this is a form of respect both for the reporter and for all the users that only upgrade to stable releases. Making the vulnerability public knowledge before a stable version fixes the issue would leave lots of users vulnerable. Serious reporters do not announce vulnerabilities before vendors have a fix in public builds - and vendors do not announce vulnerabilities before the reporters make their discovery public, in order to properly credit them.
Sometimes it even happens that we do not mention issues in our changelogs even though we have fixed it - because we are waiting for other vendors to fix the same issue in their products.
Yngve posted a while ago a nice summary of what exactly a security issue in a browser really is. Let me further stress what he already wrote: we do take security very seriously at Opera, and carefully analyze and evaluate every security issue that is reported to us. It can happen that the severity of an exploit is upgraded by our internal security team at a later stage, since further analysis shows that the original severity was not accurate: our priority is to first fix the issue; further and deeper analysis happens even after that, and sometimes can rectify initial findings.
So what you have been seeing with the 9.10 release and the delayed announcement of two vulnerabilities is an unhappy coincidence of the release and the Christmas vacation. Happy new year to all, and enjoy safe browsing - and remember to upgrade to 9.10 if you haven't done so yet.
When somebody discovers a vulnerability in an application, they should report it to the vendor. It can happen that the reporters give a deadline by when they want to make full disclosure of the vulnerability, but usually the reporter and the vendor work out a disclosure date that makes both happy. If the exploit is not clear, both work on details and a PoC (proof of concept). When a fix has been made and a public release is available, both the reporter and the vendor publish an advisory. The vendor usually credits the reporter in the advisory for the discovery of the vulnerability.
It is important that both parties do respect each other: if a fix is included also in development snapshot builds that reach a public audience (like the weekly builds on this blog), fixes for the vulnerability are not announced: this is a form of respect both for the reporter and for all the users that only upgrade to stable releases. Making the vulnerability public knowledge before a stable version fixes the issue would leave lots of users vulnerable. Serious reporters do not announce vulnerabilities before vendors have a fix in public builds - and vendors do not announce vulnerabilities before the reporters make their discovery public, in order to properly credit them.
Sometimes it even happens that we do not mention issues in our changelogs even though we have fixed it - because we are waiting for other vendors to fix the same issue in their products.
Yngve posted a while ago a nice summary of what exactly a security issue in a browser really is. Let me further stress what he already wrote: we do take security very seriously at Opera, and carefully analyze and evaluate every security issue that is reported to us. It can happen that the severity of an exploit is upgraded by our internal security team at a later stage, since further analysis shows that the original severity was not accurate: our priority is to first fix the issue; further and deeper analysis happens even after that, and sometimes can rectify initial findings.
So what you have been seeing with the 9.10 release and the delayed announcement of two vulnerabilities is an unhappy coincidence of the release and the Christmas vacation. Happy new year to all, and enjoy safe browsing - and remember to upgrade to 9.10 if you haven't done so yet.
WIDGETIZE
« Previous 1 2
Toni Eisner # 12. January 2007, 14:29
It lack's lots of standard fields, let alone access from other applications.
It would also be very nice if the picture added to an adress could be used in the chat modul. the few available standard icons are not enaugh.
Haavard # 14. January 2007, 19:28
Teal_One # 19. January 2007, 20:32
However, new version could contain also new bugs, right? So why to change to new version, if old runs fine and no security fixes were made?
JH # 4. November 2008, 10:57
I have a bank site that I go to daily. Opera reports it as a fraudulent site starting, oh, a few months ago. Apparently it absolutely is NOT a fraud site. I have tried to report this problem several times with no change. I also tried phishtank.com. No help that I can find or see.
I finally asked the bank itself about this via their "secure message" facility. They gave me some generic disparaging remarks about site ratings in general. But they insist their site is VERY safe. Indeed, I personally have had no trouble with it so far.
What is to be done? Now I check the URL very carefully before ignoring Opera's bogus warning. I fear I will not check the URL well enough some time and I really will end up on some scam site, doing my banking business there!
Also, McAfee site ratings using Internet Explorer find nothing fraudulent about the bank site in question.
Seems once a site is ever on the s--t list, even in error, you can't get it off.
Thanks,
-JH
PS: on editing my comments, I don't know why my text changed to italics.
JH # 4. November 2008, 11:39
I have a bank site that I go to daily. Opera reports it as a fraudulent site starting, oh, a few months ago. Apparently it absolutely is NOT a fraud site. I have tried to report this problem several times with no change. I also tried phishtank.com. No help that I can find or see.
I finally asked the bank itself about this via their "secure message" facility. They gave me some generic disparaging remarks about site ratings in general. But they insist their site is VERY safe. Indeed, I personally have had no trouble with it so far.
What is to be done? Now I check the URL very carefully before ignoring Opera's bogus warning. I fear I will not check the URL well enough some time and I really will end up on some scam site, doing my banking business there!
Also, McAfee site ratings using Internet Explorer find nothing fraudulent about the bank site in question.
Seems once a site is ever on the s--t list, even in error, you can't get it off.
Thanks,
-JH
PS: on editing my comments, I don't know why my text changed to italics.
ramonjosegn # 29. November 2008, 20:58
www.mecacho.com
ramonjosegn@yahoo.com