Opera's security policy questionable!

Hi users of the Opera browser,

Hide two major security bugs from your users until a third party discloses those bugs is bad. Read here:
http://blogs.securiteam.com/index.php/archives/794

polonus

Hide two major security bugs from your users until a third party discloses those bugs is bad.

Opera did not hide the bugs from its users: it was working to patch the vulnerability, and to announce the vulnerabilities to the public would have alerted the bad guys to the fact that an attack on Opera was possible. Far from being questionable, Opera’s security policy is the only sensible one. And they did not hide the bugs until a third party disclosed them. The third party found the bugs and reported them to Opera, only making them public when the vulnerability had been fixed. This is clear from the iDefense website:

VIII. DISCLOSURE TIMELINE

11/16/2006 Initial vendor notification
11/17/2006 Initial vendor response
01/05/2007 Coordinated public disclosure

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=457

:wink:

Hi FwF,

Not alerting the malcreants is the only valid reason I can see there. If there is a browser vulnerability and you can be secure by implementing a certain policy (for instance not running script inside the browser, or having other ways to go around it) this is far better than security through obscurity.
If you know you won’t fall victim to something, forewarned in most cases is fore-armed. Firefox and Flock also have several bugs pending, they discuss these, and what to do until the holes have been patched.
What is the use for bold security browser testers if they are left in the dark?

polonus

I believe Firefox also has the same policy, that vulnerabilities are only made public after a patch has been issued, with the co-operation of the party reporting the flaw, assuming of course that the person or organisation does not decide to go public with it. For my money, that’s the best policy.

EDIT: In addition, I don’t believe this vulnerability had been exploited or used in attacks, so warning users of a possible attack would not protect them from a threat, but only expose the many users who would surely not have heard the advice to disable JavaScript to any exploit the malware writers managed to come up with in the Window of opportunity after the vulnerability was made public and before a patch could be issued.

Opera Desktop Team - Handling Security