The Browser Den

Asa Dotzler mentions the Heise Security article about Opera 9.10 which was released in December. The release notes fail to mention two fairly critical security problems that were fixed in 9.10 but were present in the previous version 9.02. The main features listed in 9.10 were the online fraud protection and some stability updates.

The main concern being raised is that by not mentioning the security updates is that people may just choose to skip this release if none of the new features appeal to them but they would be more likely to upgrade if they knew that it fixes security issues.

This could be Opera trying to hide security problems from their users to appear more secure in their minds or it may just be an omission that should have made it but didn’t through a breakdown in internal communication.

Looking at past changelogs they have mentioned security issues before (e.g. 9.02, 8.54, 8.02) so it may be premature to say that they’re deliberately hiding things from users. However, one thing I did notice looking through past release notes is the list of fixed security issues is low. It’s quite possible they normally only list security issues as fixed if the issue is already publicly known or it may even be that less security issues have been found in this browser (less known issues does not mean less actual bugs - although it is possible).
The Mozilla project has a useful page that lists the vulnerabilities fixed in previous versions of Firefox, Thunderbird and SeaMonkey.

One thing that everyone should know by now is that there’s no single browser that is 100% secure so the best bet is to make sure that your browser of choice is kept up to date. People do need to be able to trust that they’ll receive timely updates to address issues and they need to be informed when they have to update. Although past performance is no real guide to the future it is one way that people use to decide if software can be trusted. Microsoft lost a great deal of trust with IE6, the security record of IE7 is still to be proven. Hopefully Opera can learn from this incident and make sure security updates are properly highlighted.

Sometimes when you’re running a business it can be very hard to decide how much information to give out. Make too much of a deal about security issues and the press may try and make your software look buggier than it really is, on the other hand if you don’t mention the importance of an update to your users then it can put them at risk. I can imagine nearly all software companies have been guilty of this one time or another.

UPDATE: just noticed it has been mentioned on Slashdot.

This entry was posted on Sunday, January 7th, 2007 at 3:44 am and is filed under Opera, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.