I looked around the Opera forum to see if I could find any more information (responses) there... there was one thread questioning the matter, with a single response (about the merits of disclosure prior to the vendor having a chance to issue a fix) http://my.opera.com/community/forums/topic.dml?id=886702 --- but that thread has already been locked.
Opera apparently has a reputation for washing its own dirty linen quietly, without making public disclosures. I have no idea if this is true, but a quick check at Secunia's website will confirm very few vulnerabilities disclosed for Opera in recent years.
I don't know about the ethics of disclosing a vulnerability, but the reason cited for locking that Opera forum thread seemed pretty flimsy (inadequate title?). Seems a bit self-serving.
Personally, I'd rather know about unpatched vulnerabilities and zero day exploits. Interestingly, Secunia tried to remove its "Secure browsing" feature in its PSI 2 beta. Presumably because it felt there was no need to inform users of unpatched vulnerabilities in browsers. Feedback from those of us who beta tested lead to its re-instatement in PSI 2 Final, although it is hidden by default.
"Personally, I'd rather know about unpatched vulnerabilities and zero day exploits". Perhaps. As long as the notification included a list of mitigating factors and/or a viable workaround. But to let me know there's a critical vulnerability out there, for which I can't do anything, I think I (and the public) will be better off not knowing. By revealing vulnerabilities "prematurely", it only increases the likelihood of amateur hackers (in addition to the professional hackers) being able to "test the waters".
By analogy, after the 9-11 attack on the World Trade Center, there were news articles that pointed out alternative targets that could have resulted in greater catastrophes. That's just what we needed (sarcastically) --- to advise the [ignorant] terrorists how to be more successful next time. DUH!
-------------------
I've stuck with PSI 1.5. It still seems to work fine (albeit it does advise me about the new version). However, based on your review --- that you've opted out of it's new features (like automatic patching of programs), and having to UNhide info on the insecure browsers --- I really see no point to "upgrading".
"But to let me know there's a critical vulnerability out there, for which I can't do anything, I think I (and the public) will be better off not knowing."
But there is something you can do - avoid using the browser! Or browse in a sandbox. (It's not for nothing that I have 4 browsers and Sandboxie installed). Admittedly, there are times when all browsers seem insecure.
I understand the argument against disclosing vunerabilities publically, without prior notification to the vendor. And the argument against disclosing details of a vulnerability that might aid bad-hat hackers. But surely there are ways to inform people of the existence of an un-patched vulnerability, without revealing said details. A generic alert, if you will.
All that said, I admit I don't know all the ramifications and implications of this topic.
---------------------------------------------
As far as Secunia PSI goes, the biggest difference between 1.5 and 2.0 (the way I've configured it) is that when I close the program, it is gone. No balloon alert that PSI is still running, no icon in my notification tray, no "are you sure" message before shutting it down. Saves me 2 or 3 mouse clicks.
As mentioned elsewhere, I have installed EMET (Microsoft's Enhanced Mitigation Experience Toolkit), and opted-in all my browsers. I know that in some cases (e.g., some recent issues with Adobe Reader), EMET was deemed a successful mitigation to exploitation of the vulnerabilty. I have no knowledge as to whether or not EMET is effective in the case of this particular Opera vulnerability... but figure it can't hurt things any.
-----
so a new PSI version, whose only practical advantage is in how you exit/close the program. I'm sure glad the program is free, because I'd hate to have to pay for such innovation :emotion-4:
However, I had problems with the internal update: After the file downloaded and started to install, I got a message indicating that the installation could not proceed unless the installer closed itself!! I clicked "retry", and got the same message.
next, I noticed in task manager that a copy of Opera was still "running" --- perhaps it didn't close down properly?? So I closed that, and had the installer retry again. This time, it was able to UNinstall opera 11... stopping there... leaving me with nothing!!
So, using IE, I downloaded a "new" copy of opera 11.01, and finally, was able to install it. Fortunately, it seems all my customized settings (e.g., bookmarks) were preserved, despite 11.0 being uninstalled.
I can't say if this was a "fluke" on this machine, or a problem with the upgrade. I will try it on a second machine later today, and will report back then...
EDIT: On a second machine, everything ran just fine.
ky331
3 Apprentice
•
15.6K Posts
0
January 23rd, 2011 08:00
I looked around the Opera forum to see if I could find any more information (responses) there... there was one thread questioning the matter, with a single response (about the merits of disclosure prior to the vendor having a chance to issue a fix) http://my.opera.com/community/forums/topic.dml?id=886702 --- but that thread has already been locked.
joe53
2 Intern
•
5.8K Posts
0
January 23rd, 2011 12:00
Opera apparently has a reputation for washing its own dirty linen quietly, without making public disclosures. I have no idea if this is true, but a quick check at Secunia's website will confirm very few vulnerabilities disclosed for Opera in recent years.
I don't know about the ethics of disclosing a vulnerability, but the reason cited for locking that Opera forum thread seemed pretty flimsy (inadequate title?). Seems a bit self-serving.
Personally, I'd rather know about unpatched vulnerabilities and zero day exploits. Interestingly, Secunia tried to remove its "Secure browsing" feature in its PSI 2 beta. Presumably because it felt there was no need to inform users of unpatched vulnerabilities in browsers. Feedback from those of us who beta tested lead to its re-instatement in PSI 2 Final, although it is hidden by default.
ky331
3 Apprentice
•
15.6K Posts
0
January 23rd, 2011 15:00
"Personally, I'd rather know about unpatched vulnerabilities and zero day exploits". Perhaps. As long as the notification included a list of mitigating factors and/or a viable workaround. But to let me know there's a critical vulnerability out there, for which I can't do anything, I think I (and the public) will be better off not knowing. By revealing vulnerabilities "prematurely", it only increases the likelihood of amateur hackers (in addition to the professional hackers) being able to "test the waters".
By analogy, after the 9-11 attack on the World Trade Center, there were news articles that pointed out alternative targets that could have resulted in greater catastrophes. That's just what we needed (sarcastically) --- to advise the [ignorant] terrorists how to be more successful next time. DUH!
-------------------
I've stuck with PSI 1.5. It still seems to work fine (albeit it does advise me about the new version). However, based on your review --- that you've opted out of it's new features (like automatic patching of programs), and having to UNhide info on the insecure browsers --- I really see no point to "upgrading".
joe53
2 Intern
•
5.8K Posts
0
January 23rd, 2011 16:00
"But to let me know there's a critical vulnerability out there, for which I can't do anything, I think I (and the public) will be better off not knowing."
But there is something you can do - avoid using the browser! Or browse in a sandbox. (It's not for nothing that I have 4 browsers and Sandboxie installed). Admittedly, there are times when all browsers seem insecure.
I understand the argument against disclosing vunerabilities publically, without prior notification to the vendor. And the argument against disclosing details of a vulnerability that might aid bad-hat hackers. But surely there are ways to inform people of the existence of an un-patched vulnerability, without revealing said details. A generic alert, if you will.
All that said, I admit I don't know all the ramifications and implications of this topic.
---------------------------------------------
As far as Secunia PSI goes, the biggest difference between 1.5 and 2.0 (the way I've configured it) is that when I close the program, it is gone. No balloon alert that PSI is still running, no icon in my notification tray, no "are you sure" message before shutting it down. Saves me 2 or 3 mouse clicks.
Now that's what I call progress!
ky331
3 Apprentice
•
15.6K Posts
0
January 23rd, 2011 16:00
As mentioned elsewhere, I have installed EMET (Microsoft's Enhanced Mitigation Experience Toolkit), and opted-in all my browsers. I know that in some cases (e.g., some recent issues with Adobe Reader), EMET was deemed a successful mitigation to exploitation of the vulnerabilty. I have no knowledge as to whether or not EMET is effective in the case of this particular Opera vulnerability... but figure it can't hurt things any.
-----
so a new PSI version, whose only practical advantage is in how you exit/close the program. I'm sure glad the program is free, because I'd hate to have to pay for such innovation :emotion-4:
joe53
2 Intern
•
5.8K Posts
0
January 26th, 2011 17:00
This Opera vulnerability is now acknowledged by Secunia, (and PSI) in an advisory released today:
http://secunia.com/advisories/43023/
"Solution Status Unpatched ...
... Solution
According to the vendor, this will be fixed in version 11.01 scheduled for release later this week."
ky331
3 Apprentice
•
15.6K Posts
0
January 27th, 2011 05:00
Opera 11.01 is now available.
However, I had problems with the internal update: After the file downloaded and started to install, I got a message indicating that the installation could not proceed unless the installer closed itself!! I clicked "retry", and got the same message.
next, I noticed in task manager that a copy of Opera was still "running" --- perhaps it didn't close down properly?? So I closed that, and had the installer retry again. This time, it was able to UNinstall opera 11... stopping there... leaving me with nothing!!
So, using IE, I downloaded a "new" copy of opera 11.01, and finally, was able to install it. Fortunately, it seems all my customized settings (e.g., bookmarks) were preserved, despite 11.0 being uninstalled.
I can't say if this was a "fluke" on this machine, or a problem with the upgrade. I will try it on a second machine later today, and will report back then...
EDIT: On a second machine, everything ran just fine.