RealTime IT News

Opera Has Words For Mozilla

Opera Software is calling accusations made by Mozilla staffer Asa Dotzler regarding Opera's security disclosure policies, "dangerous and irresponsible."

The issue at hand revolves around a pair of security vulnerabilities that were recently discovered by Verisign's iDefense division. Dotzler alleged that since Opera did not immediately alert users that there was an update available to fix critical flaws that Opera was in some way negligent.

Opera disagrees.

Opera spokesman Thomas Ford explained that one of the vulnerabilities was tagged "low impact" while the other was "moderate impact."

"Consistent with our track record, we patch all vulnerabilities, regardless of severity," Ford told internetnews.com. "This has been our philosophy since we first made a browser in 1995, and it will remain that way."

IDefense alerted Opera to the flaws on Nov. 16, 2006, and Opera began a full investigation the following day. Ford explained that, as is standard practice in the IT industry, a disclosure date was agreed upon by iDefense and Opera. Since the timing occurred around the holiday break of Christmas and the New Year, Opera agreed with iDefense to disclose on January 5, 2007. Opera shipped Opera version 9.10 on Dec. 18, 2006, with the fixes included.

Mozilla's Dotzler took issue with the fact that Opera did not originally alert users to the 9.10 release in the changelog that it included key security fixes. It's a charge that Opera isn't disputing.

"We accept that we should have made it clearer that 9.10 included security upgrades," Ford admitted. "We have rectified this in several places, including the changelog to which you linked.

"We recognized that our internal reporting and communication process could be improved and we have taken steps to ensure this does not happen again."

Opera also disagrees strongly with the accusation made by Dotzler that Opera downplayed the severity of risk for users.

"As a public-facing employee of the Mozilla Corporation, his comment is incredibly reckless and disappointing," Ford stated. "All vendors, including Mozilla Corporation, may adjust the severity of a security vulnerability when they disclose if they disagree with the finder's assessment."

The real issue when it comes to browser vulnerabilities is about the length of time a user is actually at risk from real attacks. It's a sentiment that Dotzler himself noted in a blog post several days before his Opera comments. In the case of the recent iDefense-discovered flaws, Ford contends that Opera users were not at risk for a single day.

"We have a long and proud record of placing our users' safety as our top priority," Ford said. "We will continue to do so and vigorously defend ourselves against claims to the contrary. "