Slashdot Mirror
Opera 7.0 Security Holes ... Fixed
An anonymous reader writes "GreyMagic has issued five new security advisories for the recently-released Opera 7.0. They affect the security model, the javascript console, images, the history and the error log (allowing access to the history). A new version will be released within 24 hours to fix the holes, according to an article at The Register." Update: 02/05 02:01 GMT by T : An anonymous reader writes "Opera Software have just released Opera 7.01 for Windows. This version fixes the recently discovered security holes less than 24 hours after they were discovered - a very impressive turnaround! The release is currently only available on Opera's FTP site. It can be downloaded with Java (12.9Mb) or without (3.3Mb)."
Thank god I'm using IE!
Only the State obtains its revenue by coercion. - Murray Rothbard
Seems like that list would be shorter.
I don't need no instructions to know how to rock!!!!
Opera 7 is nice but I am disinclined to put any new version of a browser on a critical computer. Other cautious types won't have been inconveienced greatly either.
I like mouse gestures, but I don't know what to make of the new spatial navigation feature. yet.
Last time there was a serious browser security problem KDE got Konqueror fixed by evening,Opera had fixes on one platform after a day and another platform after a couple of days, and Mozilla was about a sgood.
Many of my colleagues were still using the only major browser that took a week before anyone admitted they owned a problem, when the fix eventually came out.
I think this is long overdue. The last time I checked out opera, several people were murdered (including one by a barber - terrorists with nail clippers indeed!). On a previous excursion there was an actual war, culminating in the death of a cigarette girl. This kind of thing just has to stop, so the prospect of increased security is a welcome one. In the past the only evidence of surveillance has been a few people in fancy dress with cheap, tiny binoculars. That's just a recipe for anarchy.
Some ear protection would be nice too.
Would BUY a web browser? These things are commodity now in the terms of operating systems. We have IE and Mozilla for Windows, KHTML and Mozilla for Linux, and IE and Mozilla and KHTML for Mac.
We have Mouse gestures for Moz by plugin, Tabbed bowsing for Moz and Konq, and any other feature deemed ok can easily be added in to Mozilla (either by source adds or plugins).
Can somebody answer me why someone would buy a web bowser these days?
There are workarounds it says until the patch, just turn off javascript.. that gets rid of 4 of 5 holes. 5th hole is plugged by changing
/\\/g, "\\\\" ) +
/\\/g, "\\\\").replace(/"/g,"")+
m.replace(
on line 52 of "console.html" in Opera's install dir with:
m.replace(
Furthermore, in an application - the problem of cohesion and coupling will forever rise. Unfortunately, many applications have modules that are heavily linked so when you ask "What isn't affected?", you aren't considering how many applications are programmed. Frankly, if module A is broken, in many, many cases where the design team was on the project for two weeks and the coding team never even talked to the design team, this would mean that B - F are also broken. I'm not saying this is a problem with Opera but some security flaws in a given module will often result in flaws being found in others.
I hate liberals. If you are a liberal, do not reply.
Opera didn't announce the exploits, idiot. They requested that the people who discovered them wait to announce them for TWO DAYS so that a fix could be released before the exploits became publicly known. The exploit discoverers did not comply. Opera did everything right, and it is impressive that they are working so fast and so hard to fix the problems.
Lack of eloquence does not denote lack of intelligence, though they often coincide.
They weren't overnight. They've been working on them since Friday and wanted the announcement to come on Thursday so that they could properly test the fixes.
Lack of eloquence does not denote lack of intelligence, though they often coincide.
but opera surely does rock!! I have tried Mozilla, Pheonix, and IE, and also Konqueror and some other browser on linux which I tested a while ago, and well.. sorry, but opera is by far the best browser I've ever used.. I would mourn if it suddenly went bankrupt or whatever, as non of the other browsers are good enough for me after having used opera. Of course, things are looking fairly good for opera and their future, even though they're competing in the deadliest of markets - this hold true especially for the portable market. When discussing opera and browsers, someone always comes on and says why not use pheonix instead?? I will tell you something.. to me, pheonix feels almost as bloated as mozilla.. it's just something with the.. interface.. difficult to describe.. even the renderer feels slower, or in some other way inferior to the one of opera, but.. the show stops already with the user interface.. there's just something not completely right about it.. opera has nothing too fancy in the way of interface design, but it just works and feels very good. So some seem to think us opera users just make stupid claims.. tell me this.. why the hell would i bother to pay for opera if pheonix is just as good or even better as many claim? For me, it simply isn't.. besides, opera has some functionality moz/pheonix cannot offer me yet.
You shouldn't put any browser on a Critical Computer.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
I know it might not help much, but all Opera user should give Phoenix a shot.
:)
:) (yeah, kudos to Phoenix developers!)
I used Opera and I really like it very much as its efficiency and functionalities can really beat any other alternatives. However, I failed to get Java and flash work properly on Linux, it always has some glitches here and there. Opera works fine in this regard in Windows, though.
Then I gave Phoenix a try. To my surprise, not only java and flash works flawlessly, its performance is even comparable to Opera! Although it doesn't have the same functionalities I'd find in Opera, but I can install extensions to enhance its usabilities. Above all, it wouldn't give you annoying banner ad(yes I didnt pay for Opera
I just tell from my experience, and I've no association with Phoenix development team.
Opera comes up with security problems, and they're fixed in short order.
IE has one big security problem (script support) and a whole bunch of little ones, and the patches come, well, when they get around to it.
Conclusion: Well, you decide for yourself...
This Post Made From Within Opera (6.0)
According to this forum thread, it said "Grey Magic looking at the alert said they informed Opera in Nov. of the problems in beta 1 of version 7. In beta 2 Opera thought they had fixed it but instead had only fixed part and not all. On Jan. 31 Grey Magic informed Opera of these problems in version 7 final , Opera asked for the to wait till Feb. 6 before announcing so that they could have it fixed , Grey Magic chose not to wait just 2 more days."
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
...that full disclosure of security issues is not in the publics interest. Opera has aggressively been working on the problems, and has released 7.01 which (AFAIK) fixes said problems. However, they did not have reasonable time to address each issue once found.
It's one thing when a company sits on an exploit for a month without even aknowledging it. It's another when a company acknowledges it, and requests a reasonable amount of time to make a fix, and regression test that fix. Sheeshe, give these guys a break - they patched very quickly and from what it looks like it's a stable patch.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Programmer1: Ouch! Somebody just discovered some security holes in our browser!
Programmer2: Yeah, I saw that too. I was working on it all morning, but I believe I've fixed all the outstanding issues in our code. Now we just need to notify our user base.
Programmer1: Yup. You gonna call him, or should I?
*RIMSHOT*
Yes, it is, because the code Apple released back to the KDE developers makes the browser fly.
= 4
http://promo.kde.org/3.1/feature_guide.php?page
"Much attention has recently been showered on the KDE HTML rendering engine due to its adoption by Apple in its Safari browser. While some of the efforts of the Safari developers have found their way into KDE 3.1, the vast majority of the Apple developers' performance, rendering and JavaScript improvements which will be incorporated into KHTML are scheduled for release with KDE 3.2."
It chaps my butt just a bit that Opera did not have the courtesy to send me an email letting me know that a new version was available. I registered my Windows and Linux versions. Maybe their email server is buggy too.
Wrote 'em an email complaining about their security-through-obscurity model, and had a reply back from a developer within ten minutes, pointing me to the FTP site with the fixed version...
:)
That's not a bad response at all, IMHO.
And no, I don't work for 'em - are they hiring at the moment?
Yes, I know the parent was sarcastic.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
Programmer2: Nah... lets just post it on slashdot.
Interactive Visual Medical Dictionary
Maybe 24 hours since it's been reported here, but look at the error reports, the latest report is dated January 29th, the earliest is from November (a variant of the hole in question).
For the alpha previews of their unix versions, go here.
Escher was the first MC and Giger invented the HR department.
Standards compliance and psuedo-webbish features. Microsoft themselves culled a huge about of crap and non-standard extensions between 4.0 and 5.0, some more between 5.0 and 5.5, and 6.0 is becoming stricter again.
(Although it should be added there's stuff 5.5 that wasn't in 5.0; IIRC, the JavaScript XML parser is new in 5.5).
Yes, security through obscurity and all but shouldnt they have contacted Opera first to let them know and let them fix it before announcing them to the public? This isnt some 3 months-waiting-ms-bug, Opera 7 has been out for a month.
This sig was cut off by the sla
What about huge the memory leaks that were in the beta 2? Did they fix those as well? Just curious.
I love Opera, I just fell in love with it a week ago
Let me tell you something that all of us geeks should remember for future encounters with women: it's not love after a week, it's lust :)
It all goes downhill from first post
Let me explain: Opera have shown their willingness to innovate and add new features to their browser. And they're good at it. Many of their ideas are very useful, *and* they're designed to benefit the user rather than create new "standards" to try and lock in developers.
Opera promoted the ideas of tabbed browsing and mouse gestures, ideas that were taken up by many Gecko-based browsers. The new release adds and intelligent "forward" button, understanding of navigational META tags, and small screen rendering.
If you watch Moz and Phoenix, you will see the influence of Opera - for example, the demand for Opera-style "rocker" gestures (using mouse button combos rather than movement) to be added to the gesture extensions.
Now, I'm not saying that Open Source projects should only clone and never innovate - and in fact, there are many innovations in Mozilla (pie menu navigation and type ahead find, for example). But Opera is a useful source of good interface ideas, and the company is not taking out bogus patents to "protect" them.
I'm a medical doctor.
My desktop computer is critical.
I need to look up stuff from our internal and external knowledge stores like the Dermatology advice (no URL offered by me!), and national electronic library for health GP Notebook and the US NIH, University of Iowa virtual hospital, that sort of stuff, while I'm dealing with patients.
In due course I may need to order (we say request) tests or further opinions which are accessed via a browser.
I think I need a browser on my critical computer.
I can do it by using the VNC session I maintain to the Linux machine on the network, and running the browser on that, but that makes cut and paste, and triggering a browser from a database noticeably more difficult.
Clever signature text goes here.
First of all, let me make it clear that I would rather not pay for something if I can get it for free. Having said that the reasons I paid for Opera are:
1.Tabs
Say what you may about Knoq, phoenix having tabbed browsing. But Opera what the first and does now has even more tabbed features with ability to save tab sessions.
2. Gestures:
This is first to market and most elegant and intuitive gestures than the Moz plugin which caused me unpredicatable or inintentional behaviors with the gestures.
3. Kickass Download manager
The best download integration with browser. Stop start resume, etc,, With the new version you can download all the links in a page in just one operation.
4. Memory and Speed:
My normal usage takes only 20MB(I have 12 tabs open usually mostly java documentation that I can easily access) on minimizing it takes only 7MB.
5. Search integration
Believe it the searching google, amazon or ebay or your custom configuration is far superior to any browser out there.
Only negative I have is the rendering of pages. For example Yahoo! Mail had pull down menu. But I can't get it to work in Opera given that Yahoo! is a megaplex on the web.
So give it a try and you'll never turn back just I did.
If it makes your life better thank Opera team and you'll be better for it.