Although the Opera web browser client is no longer the big 'little player' that it used to be having long since been eclipsed by the likes of Chrome and Firefox in the Internet Explorer alternatives stakes, it can still claim more than 300 million users and a place as world's most popular browser for mobile phones. So when you learn that Opera Software, the company in Norway behind the Opera browser, has admitted that its internal network infrastructure has been hacked you have every right to be a little concerned. That concern may grow a bit when you discover that "at least one" code-signing certificate was stolen. It starts getting a tad on the large side when, in the next breath, Opera Software also admit that certificate has been used to "distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser" according to an official spokesperson.
However, for me, my concern turns obese when the public announcement of the hacking and that certificate theft, along with the admission of the malicious software distribution as a direct result, is spun out under the headline of: "Security breach stopped". Erm, hang on a moment, that rather suggests that there is nothing to see here, that the security at Opera Software was all good and the bad guys were thwarted. Or at least it would if the statement that follows didn't take a whole week to arrive after Opera discovered security had been breached, didn't refer to that code-signing certificate theft and subsequent malware distribution as being of 'limited impact' and almost write off the fact that "a few thousand Windows users who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software".
Kudos to Opera Software for going public, that's always the best policy. I'm no advocate of immediate knee jerk reaction disclosures either as they invariably land the publisher in hot water. However, a week to make this announcement? C'mon people. Kudos to Opera Software for rolling out a new version of Opera which will use a new code signing certificate as well. But to say it's doing this "to be on the safe side" when the company has already admitted a malware version has been distributed really does stink of letting the PR men take hold of the security disclosure reigns. After all, as Malwarebytes Senior Security Researcher, Jerome Segura, states that "it would appear as though the bad guys went as far as pushing the update onto some of Opera's 300 million users for a 36-minute period, meaning they had access to Opera's infrastructure during that time".
"Users are strongly urged to update to the latest version of Opera as soon as it is available, keep all computer software up to date, and to use a reputable anti-virus product on their computer" the official Opera Software statement reads. But I'd rather be reading less of the damage limitation spin and polish, and more on how the hackers got in and what steps have been taken to prevent this happening again. As security expert Graham Cluley says "in these situations, transparency is often the only way to turn a potential disaster into an opportunity to rekindle some love from users".