Slashdot Mirror

There's actually very many security holes found in Opera compared to its very low user base. Do a search, and count. You'd be surprised.
Yes, they're usually good at fixing those brought to their attention, but we know nothing about the security problems not brought to their attention. This is an inherent problem with closed source.

Also, not everyone agrees that their security handling is the best.
I remember the jpeg security bug which bit everyone, and everyone fixed. Even Microsoft treated it as critical and severe, but Opera? It was branded a "cosmetic" bug in the release notes of the next release, and no notification of the security hole, urging customers to upgrade.
Some also seem to think that their security model is flawed (in addition to not understanding vulnerability reports).

But back to the point -- with closed source, you just can't know what else lurks under the hood, or whether they actually fix problems, or just the symptoms. That a previously reported bug has reappeared in later versions might indicate the latter -- once what's in front changes, the inside becomes vulnerable again.

Even if you disagree with all of the opinions of Opera having more than their share of security issues and a less than desirable way of treating them, saying that Opera is secure because all known security holes have been patched is just plain wrong. If that was the case, software that no-one has tested would be 100% safe, because there's no known holes. In reality, there's always more holes that no-one have detected, and how many are found tends to be proportional to the amount of scrutiny the application gets. With Opera, that's far less scrutiny than Firefox and IE, so one should expect far fewer found bugs too. Not far fewer bugs. Based on customer base, Opera has more found security bugs than both Firefox and IE, which doesn't bode well for the number of undiscovered ones.

Whatever you say.

But I, for one, will not pay for a browser that doesn't provide me with any features that can't be had for free in Firefox. I would probably buy a copy though, if it provided something significant that cannot be had in any of the other, cheaper, browsers.

If Opera was (in my eyes) a truly better product, it's be a no-brainer. But the only advantages I've heard of are few and marginal. Of course, if Firefox was worse, I'd probably be using Opera.

And that's why I don't use Opera. And why, for me, it's not worth the money. I suspect there are a lot of people that feel the same way.

Offtopic, I know, but I didn't start it!
A serious security flaw was discoverd in versions of Opera prior to 7.53, probably cross-platform. Allows read access to filesystem (including mail, cookies, etc) read more here

Those plugin browsers are really uncool. IMNSHO, as a web developer of sorts, when somebody mentions CruftyBrowser, ShadyBrowser, or whatever other IE type extensions as a substitute for Mozilla and friends is what it would be like hearing someone bragging to his friends that he can borrow your truck and return it with no gas, after doing so.

Besides, isn't it just a little curious that not one of these freeware IE extension programs have any source code out there?

You have the same security problems (and potential additional security risks by the extension itself, ala the Googlebar hack), same lack of standards compliance, you're still chalking up hits for Internet Explorer (yes, the user agent stays the same if you use these), and depending on which one you use, about as much screen cruft as IE and Mosaic combined ;)

Show some compassion, and some support for the coming of true 5th generation internet. Friends don't let friends drive on the information superhighway with MSHTML in their system.

That's one of the best reasons to use something like Yahoo instead of a separate email client.

But if you're running Internet Explorer, you're still not safe, look at this :)

according to published information, Yahoo is not responding to the report of a flaw in e-mail filtering software for Yahoo Inc. Web-based e-mail services that could result in the theft of login and password information; the disclosure of message contents in the user's mailbox and contact file; and the exploitation of the user's machine by an outside agent.

What is SBC doing to resolve this serious vulnerability that your customers are exposed to as a result of this serious flaw on yahoo's part.

We, your customers, never had the opportunity to choose whether expose ourselves to yahoo, their advertising and this vulnerability.

I would appreciate some assurance that this severe vulnerability is being fixed.

see: E-Week article
and:Source report of vulnerability

Not so!

http://www.greymagic.com/security/advisories/gm005 -mc/inject.asp e.g. the test case, 'injects' my IE6 on fully patched Win2k.

only works in IE5 though...

Well, that is what the article says, but the proof of concept page also works in IE 6.0 (6.0.2800.1106)

As it happens, provoked by receiving he Netsky virus embedded in an html email in Outlook that attempted to launch via an iframe, I happened to download Spybot Search and Destroy.

Using Spybot Search & Destroy, I found out about another Grey Magic discovered vulnerability, Executing arbitrary commands without Active Scripting or ActiveX. I also discovered that I'd apparently had an Alexa phone-home browser extension installed as a "Browser Helper Object" in IE, god knows for how long.

I've been using Mozilla FireWhatever for quite sometime, eschewing Internet Explorer except for those sites that don't work with IE or for testing my own sites in IE. But clearly, even a careful user with an up-to-date copy of IE and a firewall, isn't safe, principally because rather than concentrate on security and getting what they already have working securely, Microsoft prefers to pile on ever-accumulating layers of non-essential crap like HTML-TIME .

I've no idea why someone thought that HTML-TIME, ostensibly for adding "timing and media synchronization support" to HTMl, required the ability to arbitrarily re-write pages. But clearly it's nothing that's desirable in an email.

My course is clear at this point: after repeated attempts, Microsoft still can't get it right, still cannot write a browser that's anywhere near secure. Crap like "HTML + TIME" is NOT worth the risks it brings with it -- especially when the risks are borne by the end-user in order to make life easier for (generally commercial) web site developers. Boycott IE, and boycott sites that only work in IE -- even if -- especially if, they use Microsoft extensions like "HTML + TIME".

only works in IE5 though...

Well, that is what the article says, but the proof of concept page also works in IE 6.0 (6.0.2800.1106)

As it happens, provoked by receiving he Netsky virus embedded in an html email in Outlook that attempted to launch via an iframe, I happened to download Spybot Search and Destroy.

Using Spybot Search & Destroy, I found out about another Grey Magic discovered vulnerability, Executing arbitrary commands without Active Scripting or ActiveX. I also discovered that I'd apparently had an Alexa phone-home browser extension installed as a "Browser Helper Object" in IE, god knows for how long.

I've been using Mozilla FireWhatever for quite sometime, eschewing Internet Explorer except for those sites that don't work with IE or for testing my own sites in IE. But clearly, even a careful user with an up-to-date copy of IE and a firewall, isn't safe, principally because rather than concentrate on security and getting what they already have working securely, Microsoft prefers to pile on ever-accumulating layers of non-essential crap like HTML-TIME .

I've no idea why someone thought that HTML-TIME, ostensibly for adding "timing and media synchronization support" to HTMl, required the ability to arbitrarily re-write pages. But clearly it's nothing that's desirable in an email.

My course is clear at this point: after repeated attempts, Microsoft still can't get it right, still cannot write a browser that's anywhere near secure. Crap like "HTML + TIME" is NOT worth the risks it brings with it -- especially when the risks are borne by the end-user in order to make life easier for (generally commercial) web site developers. Boycott IE, and boycott sites that only work in IE -- even if -- especially if, they use Microsoft extensions like "HTML + TIME".

as you can see from their demo page it's not limited to yahoo.

people are always picking on the big guys.

Tried submitting this a couple of times since yesterday but the submission system seems to have picked up a few bugs of its own where it says "Thanks for the submission" but nothing shows up in the queue. Here are the details...

Yahoo, Hotmail Users Vulnerable to XSS PC Attack

Both Yahoo Web e-mail and Microsoft Hotmail are vulnerable to an Internet Explorer cross-site scripting (XSS) attack that lets malicious users run local code, according to Israel's GreyMagic security consultants (proof of concept). Possible consequences range from theft of login and password to a remote takeover of the compromised machine. Reports indicate that Microsoft has patched the hole but Yahoo has yet to solve the problem. The vulnerability presumably affects Windows PC-based versions of Internet Explorer only. Some people might want to read this developerWorks article on how to prevent cross-site scripting and protect oneself, mentioned last month on Slashdot. More coverage at InternetNews and The Register.

Tried submitting this a couple of times since yesterday but the submission system seems to have picked up a few bugs of its own where it says "Thanks for the submission" but nothing shows up in the queue. Here are the details...

Yahoo, Hotmail Users Vulnerable to XSS PC Attack

Both Yahoo Web e-mail and Microsoft Hotmail are vulnerable to an Internet Explorer cross-site scripting (XSS) attack that lets malicious users run local code, according to Israel's GreyMagic security consultants (proof of concept). Possible consequences range from theft of login and password to a remote takeover of the compromised machine. Reports indicate that Microsoft has patched the hole but Yahoo has yet to solve the problem. The vulnerability presumably affects Windows PC-based versions of Internet Explorer only. Some people might want to read this developerWorks article on how to prevent cross-site scripting and protect oneself, mentioned last month on Slashdot. More coverage at InternetNews and The Register.

I use Opera a lot and usually find that it is faster than IE (ive never seen IE beat Opera for speed) and I find that Opera is a lot more usable since I like to use keyboard shortcuts (love the Ctrl+Shift+Enter to open a background tab) . And I was trying to get some statistics on how Opera is faster and found this and then this I have no idea what the first one means. The second one is not technical enough. Wonder if this means Opera renders slower but due to caching and other tricks becomes faster?
I also tried opening a huge html (Lot of random text with html tags at bottom and top) files right now, sure enough Opera did it faster ???

Microsoft Baseline Security Analyzer (MBSA) and Microsoft's version of HFNetChk both failed to detect the presence of the well-known vulnerability in SQL Server exploited by Sapphire, which is one of the reasons so many admins (both inside and outside MS) had failed to install the necessary hotfix. MBSA and HFNetChk are Microsoft's official patch status verification tools meant to be used by all owners of Windows server boxes ...

...In addition to designing MBSA to avoid scanning for SQL Server vulnerabilities, failing to update mssecure.xml reliably and in a timely manner, deprecating HFNetChk by pushing the MBSA GUI as its preferred replacement, and hiding the details of the technical limitation

Microsoft Baseline Security Analyzer (MBSA) and Microsoft's version of HFNetChk both failed to detect the presence of the well-known vulnerability in SQL Server exploited by Sapphire, which is one of the reasons so many admins (both inside and outside MS) had failed to install the necessary hotfix. MBSA and HFNetChk are Microsoft's official patch status verification tools meant to be used by all owners of Windows server boxes ...

......In addition to designing MBSA to avoid scanning for SQL Server vulnerabilities, failing to update mssecure.xml reliably and in a timely manner, deprecating HFNetChk by pushing the MBSA GUI as its preferred replacement, and hiding the details of the technical limitations

Who's the idiot? The discoverers DID comply, they notified Opera last Friday and published the exploits only yesterday.

Ironic that you should be so emphatic about Opera on the same day that five new vulnerabilities are discovered in it.

Long live Mozilla \o/

http://security.greymagic.com/misc/globalDgArg/ - I can display arbitrary files from my hard drive in the javascript dialog. Other exploits don't seem to work.

http://sec.greymagic.com/adv/gm012-ie/vobjcache.as p - Clipboard exploit works, others fail.

These are two near the top of the list that work, while they aren't remote code exploits they illustrate continuing security problems.

http://security.greymagic.com/misc/globalDgArg/ - I can display arbitrary files from my hard drive in the javascript dialog. Other exploits don't seem to work.

http://sec.greymagic.com/adv/gm012-ie/vobjcache.as p - Clipboard exploit works, others fail.

These are two near the top of the list that work, while they aren't remote code exploits they illustrate continuing security problems.

I did. With IE. Here is what happened:

1. Your IP address

It picked up my IP address. Fair enough. I'm not running through an anonymous proxy.

2. Hidden tracking files (cookies)

It couldn't list any of my cookies.

3. Exposed Clipboard

This was a little scary. It picked up what was in my clipboard and displayed it.

4. Hack and Exploit Vulnerability

Sophos immediately popped up a message telling me it had detected 'Troj/Codebase-A' in my temporary internet files. A window appeared with some HTML telling me that file:///c:/winnt/win.ini had moved. But nothing else.

I couldn't open the click here links, the links below that didn't work and MSN wasn't giving out my contacts.

5. Browser and Operating System

Big deal. It got them from the HTTP_USERAGENT. I'm not totally paranoid - I don't mind people knowing what browser I use.

6. Geographical location

Middlesex, England, GBR. Well, 2 out of 3 isn't bad but not exactly something to get worried about. Wonder why it thought Middlesex though?

7. Your network

This took the piss. It's just a traceroute from them to the IP address that they determined in the first test. It's not much of a big deal.

I run Internet Explorer 5.50.4919.2200. Sure, I don't doubt that IE has it's problems - but the stuff that Anonymiser is shreaking about is generally not that big a deal and flagged only so they can sell their products.

(mind you the clipboard one was a little spooky)

Perhaps it's the same exploits mentioned in the linked Slashdot article, and in that case pardon my ignorance. If not, I haven't seen these nine security holes talked about at too many places. Why I don't know. They are certainly vicious.

However, I am getting a little tired at all the MS bashing on Slashdot. It has been said before, but do we really need to have a story posted each time an Outlook/Explorer security breach, no matter how insignificant, is made public?

Great to see this getting modded up - it's like going to Microsoft and explaining that you really welcome the new license changes, and that the many hidden features are a real boon to your productivity. :-)

Microsoft Internet Explorer: 17 unpatched vulnerabilities.
Netscape/Mozilla: 1 patched vulnerability.
Opera: 1 unpatched vulnerability.

See http://sec.greymagic.com/adv/

Microsoft Internet Explorer: 17 unpatched vulnerabilities.
Netscape/Mozilla: 1 patched vulnerability.
Opera: 1 unpatched vulnerability.

See http://sec.greymagic.com/adv/

Of course we all know how secure Netscape is

here &
here

http://sec.greymagic.com/adv/gm001-op/

You could also quote this from their report:

Opera was informed on 15 May 2002 and confirmed our findings. A day later, in the evening of 16 May 2002, Opera informed us that the vulnerability was fixed and committed to Opera's own version control system.

On 27 May 2002, Opera released version 6.03, which addressed this issue.

Opera has been extremely responsive and quick to understand and patch this vulnerability. They have shown that they truly do take security seriously.

What's the status of this vulnerability?

Basically, it allows reading any given local file and browsing through the local folder tree in Mozilla -- the site mentions 1.0RC1 was tested and affected, it hasn't been updated since then.

It was discovered on the 30th of March, Netscape was informed on the 24th of April, and hadn't acknowledged the security researchers' notification within six days, so it was made public. (Cue flame war about MS's security woes...)

Pretty nasty... anyone with the new build care to test it?

Congrats on running Mozilla.. However that doesn't mean you are Bug Free

Actually, I use both Mozilla and IE, but these stories that are being posted on Slashdot are just silly. You are mad if they do patch. You are mad if they don't patch. Make up your mind Slashdotters!

What about this?

Netscape isn't secure either. A well written web page can read and capture local files.

Micro$oft, although they write their fair share, isn't the only company that writes bad code.

Regardless of which browser anyone chooses to use, I'd hope they're more dilligent about updgrading and/or patching than the people in this article were. All browsers have weaknesses and vulnerabilities, both known and unknown.

Well, since you switched to Mozilla from IE, you might want to read this.

http://sec.greymagic.com/adv/

Open IE Advisories: 7 (and one appendix, whatever...)
Patched IE Advisories: 1

Open Mozilla Advisories: 0
Patched Mozilla Advisories: 1

I believe he said LESS buggy.

Scripting for the scriptless with OWC in IE.

Reading local files with OWC in IE.

Controlling the clipboard with OWC in IE.

Multiple local files detection issues with OWC in IE.

Scripting for the scriptless with OWC in IE.

Reading local files with OWC in IE.

Controlling the clipboard with OWC in IE.

Multiple local files detection issues with OWC in IE.

Scripting for the scriptless with OWC in IE.

Reading local files with OWC in IE.

Controlling the clipboard with OWC in IE.

Multiple local files detection issues with OWC in IE.

Scripting for the scriptless with OWC in IE.

Reading local files with OWC in IE.

Controlling the clipboard with OWC in IE.

Multiple local files detection issues with OWC in IE.

That won't necessarily help you. Check out http://security.greymagic.com/adv/gm001-ie for a load of what can be done to Windows IE...
*YES* with Java turned *OFF*
*YES* with scripting turned *OFF*
*YES* with Active-X turned *OFF*

This particular exploit also applies to Outlook Express and Outlook. Scarey.

I'm not repeating myself; I'm an X Window user; I'm an ex-Windows user.

Bill Gates new security consciounsce Microsoft has developed a new feature that allows you to let others run your local executables remotely...yet again!

Click here [greymagic.com] to see this added functionality in action! Just type in the path to a local executable, and watch the fun!

Also check out this M$ "fix"

Bill Gates new security consciounsce Microsoft has developed a new feature that allows you to let others run your local executables remotely...yet again!

Click here to see this added functionality in action! Just type in the path to a local executable, and watch the fun!