Slashdot Mirror

← Back to Stories (view on slashdot.org)

Opera 7.0 Security Holes ... Fixed

Posted by timothy on from the fat-lady dept.

An anonymous reader writes "GreyMagic has issued five new security advisories for the recently-released Opera 7.0. They affect the security model, the javascript console, images, the history and the error log (allowing access to the history). A new version will be released within 24 hours to fix the holes, according to an article at The Register." Update: 02/05 02:01 GMT by T : An anonymous reader writes "Opera Software have just released Opera 7.01 for Windows. This version fixes the recently discovered security holes less than 24 hours after they were discovered - a very impressive turnaround! The release is currently only available on Opera's FTP site. It can be downloaded with Java (12.9Mb) or without (3.3Mb)."

16 of 291 comments (clear)

  1. Re:Who in their mind... by Tyler+Eaves · · Score: 3, Informative

    You've obviously never used Opera. Besides, you don't HAVE to buy it. If you can put up with a small, non-flashing banner ad, it's totally free as in beer.

    --
    TODO: Something witty here...
  2. Re:Great I just downloaded this 2 days ago by Edball · · Score: 5, Informative

    There are workarounds it says until the patch, just turn off javascript.. that gets rid of 4 of 5 holes. 5th hole is plugged by changing

    m.replace( /\\/g, "\\\\" ) +

    on line 52 of "console.html" in Opera's install dir with:

    m.replace( /\\/g, "\\\\").replace(/"/g,"")+

  3. Re:That was quick by Rojo^ · · Score: 1, Informative
    Before I read this article, I assumed security flaws in web browsers involved activex, javascript, or basically *script that wasn't a problem in the days when HTML only rendered text and images. The image bug:
    open("file://localhost/images/file.gif?\">(scri pt here). . .
    really got me concerned though. If you're interested to know, Phoenix wasn't affected by this bug, and the other *script bug vulnerable features can be easily disabled on a critical computer.
    --
    <:
  4. Re:Quick Turnaround by sean23007 · · Score: 3, Informative

    Opera didn't announce the exploits, idiot. They requested that the people who discovered them wait to announce them for TWO DAYS so that a fix could be released before the exploits became publicly known. The exploit discoverers did not comply. Opera did everything right, and it is impressive that they are working so fast and so hard to fix the problems.

    --

    Lack of eloquence does not denote lack of intelligence, though they often coincide.
  5. Phoenix by jsse · · Score: 5, Informative

    I know it might not help much, but all Opera user should give Phoenix a shot.

    I used Opera and I really like it very much as its efficiency and functionalities can really beat any other alternatives. However, I failed to get Java and flash work properly on Linux, it always has some glitches here and there. Opera works fine in this regard in Windows, though.

    Then I gave Phoenix a try. To my surprise, not only java and flash works flawlessly, its performance is even comparable to Opera! Although it doesn't have the same functionalities I'd find in Opera, but I can install extensions to enhance its usabilities. Above all, it wouldn't give you annoying banner ad(yes I didnt pay for Opera :)

    I just tell from my experience, and I've no association with Phoenix development team. :) (yeah, kudos to Phoenix developers!)

  6. Grey Magic didn't wait two days! by antdude · · Score: 4, Informative

    According to this forum thread, it said "Grey Magic looking at the alert said they informed Opera in Nov. of the problems in beta 1 of version 7. In beta 2 Opera thought they had fixed it but instead had only fixed part and not all. On Jan. 31 Grey Magic informed Opera of these problems in version 7 final , Opera asked for the to wait till Feb. 6 before announcing so that they could have it fixed , Grey Magic chose not to wait just 2 more days."

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  7. Re:Or...Safari by Anonymous Coward · · Score: 2, Informative

    Yes, it is, because the code Apple released back to the KDE developers makes the browser fly.

    http://promo.kde.org/3.1/feature_guide.php?page= 4

    "Much attention has recently been showered on the KDE HTML rendering engine due to its adoption by Apple in its Safari browser. While some of the efforts of the Safari developers have found their way into KDE 3.1, the vast majority of the Apple developers' performance, rendering and JavaScript improvements which will be incorporated into KHTML are scheduled for release with KDE 3.2."

  8. Yes by damiam · · Score: 2, Informative
    Thank god!



    Yes, I know the parent was sarcastic.

    --
    It's hard to be religious when certain people are never incinerated by bolts of lightning.
  9. Re:Have Sun seen this!?!? by Anonymous Coward · · Score: 1, Informative

    I think I know where you were trying to go with your statement. They offer two different d/l's, both use Java, one has it included in the download (12.9MB) and the other is if you already have a version of Java installed (3.3MB).

  10. Re:I may just be yet another opera fanboy, by eddy · · Score: 3, Informative

    I'm with you completely. I've been an Opera-fanboy since the 3.x-beta series. It just get more things right than other browsers -- and I'm continually looking at the alternatives (inkl. Mozilla, Phoenix and Konq), but the feeling isn'ty there.

    There's small things that I need, like the forward/backward gestures, I need my "tabs" at the bottom of the screen (the ones in Moz just looks and feels wrong). Any browser I use must absolutely be able to maintain state between sessions. I'm constantly using features like shift+ctrl+click, reload-every-X-min. I also use the mail-client and I want it on to the left of my browser window (integrated, just like it is in Opera).

    Unfortunately the Opera 7.0 release was way b0rken for me, but if they can ship one or two updates more (basically I couldn't use the email client, I was getting SSL_write() errors in my server log and messages never went out (and Opera didn't mention a thing!). That's bad, but if they can fix it then Opera 7 might become the best thing since Opera 6.05 which I'm back to using now.

    The only thing I truly lack in Opera now is a "developer raw tab" where I could see the HTTP requests and answers in the-raw, with a quick toggle between ASCII vs Hex+ASCII.

    Other than that I guess a bit better control over plugins (enable/disable) would be nice. Don't remember if that's fixed in 7, but in the 6-series you'll have to much around a plugins-ignore.ini which is only read on startup.

    And oh, seeing the raw message+headers in the mail client. Where did that go? There was this odd hidden function (ctrl+shift+y or something) to copy the headers to the C'n'P-buffer, but...

    Opera software, if you're reading this; Fix the mail client and I'll give you more of my money.

    --
    Belief is the currency of delusion.
  11. Not 24 Hours by sparkhead · · Score: 3, Informative

    Maybe 24 hours since it's been reported here, but look at the error reports, the latest report is dated January 29th, the earliest is from November (a variant of the hole in question).

  12. 7.01 not officially released! by TeknoHog · · Score: 3, Informative
    Many people have noted before (concerning BSDs and the like) that files appearing at ftp sites do NOT mean it's officially released. Opera 7.01 is still not officially released, and the files might still change.

    For the alpha previews of their unix versions, go here.

    --
    Escher was the first MC and Giger invented the HR department.
  13. Re:Wow by kevcol · · Score: 2, Informative

    If you are under the impression that the only benefit to using Opera is speed, you are mistaken.

    Tabbed browsing (with the option for changing your preference to new windows for each web page), superior mouse context menues, ability to change user-agent, great keyboard navigation, ability to turn off all pop-ups or let the ones you select yourself by (worth it alone for that feature), ability to turn off seizure inducing animatied GIFs, page zoom feature, exellent standards compliance, and on and on and on....

    Yes, many of these features are available in Mozilla based iterations, but I haven't yet found one that had them as well done as I have found in Opera, or that doesn't hog so goddamned much memory. And if you are looking for a modicum of these features in IE, forget it.

  14. Re:More like IE 5.0 vs. IE 5.5 by rodgerd · · Score: 2, Informative

    Standards compliance and psuedo-webbish features. Microsoft themselves culled a huge about of crap and non-standard extensions between 4.0 and 5.0, some more between 5.0 and 5.5, and 6.0 is becoming stricter again.

    (Although it should be added there's stuff 5.5 that wasn't in 5.0; IIRC, the JavaScript XML parser is new in 5.5).

  15. Re:Opera in the movies by hkmwbz · · Score: 2, Informative
    From the opera.com main page:
    Opera Goes to Hollywood

    See Opera make its debut in Hollywood, starring in "The Recruit" alongside Al Pacino and Colin Farrell.

    Opera fans: Wake up your fellow movie goers, give Opera a cheer during the film. ;-)

    It's also being discussed in the Opera forums.
    --
    Clever signature text goes here.
  16. Why I use Opera by nettarzan · · Score: 3, Informative

    First of all, let me make it clear that I would rather not pay for something if I can get it for free. Having said that the reasons I paid for Opera are:
    1.Tabs
    Say what you may about Knoq, phoenix having tabbed browsing. But Opera what the first and does now has even more tabbed features with ability to save tab sessions.
    2. Gestures:
    This is first to market and most elegant and intuitive gestures than the Moz plugin which caused me unpredicatable or inintentional behaviors with the gestures.
    3. Kickass Download manager
    The best download integration with browser. Stop start resume, etc,, With the new version you can download all the links in a page in just one operation.
    4. Memory and Speed:
    My normal usage takes only 20MB(I have 12 tabs open usually mostly java documentation that I can easily access) on minimizing it takes only 7MB.

    5. Search integration
    Believe it the searching google, amazon or ebay or your custom configuration is far superior to any browser out there.

    Only negative I have is the rendering of pages. For example Yahoo! Mail had pull down menu. But I can't get it to work in Opera given that Yahoo! is a megaplex on the web.

    So give it a try and you'll never turn back just I did.
    If it makes your life better thank Opera team and you'll be better for it.