Slashdot Mirror
Opera 7.0 Security Holes ... Fixed
An anonymous reader writes "GreyMagic has issued five new security advisories for the recently-released Opera 7.0. They affect the security model, the javascript console, images, the history and the error log (allowing access to the history). A new version will be released within 24 hours to fix the holes, according to an article at The Register." Update: 02/05 02:01 GMT by T : An anonymous reader writes "Opera Software have just released Opera 7.01 for Windows. This version fixes the recently discovered security holes less than 24 hours after they were discovered - a very impressive turnaround! The release is currently only available on Opera's FTP site. It can be downloaded with Java (12.9Mb) or without (3.3Mb)."
Thank god I'm using IE!
Only the State obtains its revenue by coercion. - Murray Rothbard
Opera 7 is nice but I am disinclined to put any new version of a browser on a critical computer. Other cautious types won't have been inconveienced greatly either.
I like mouse gestures, but I don't know what to make of the new spatial navigation feature. yet.
Last time there was a serious browser security problem KDE got Konqueror fixed by evening,Opera had fixes on one platform after a day and another platform after a couple of days, and Mozilla was about a sgood.
Many of my colleagues were still using the only major browser that took a week before anyone admitted they owned a problem, when the fix eventually came out.
I think this is long overdue. The last time I checked out opera, several people were murdered (including one by a barber - terrorists with nail clippers indeed!). On a previous excursion there was an actual war, culminating in the death of a cigarette girl. This kind of thing just has to stop, so the prospect of increased security is a welcome one. In the past the only evidence of surveillance has been a few people in fancy dress with cheap, tiny binoculars. That's just a recipe for anarchy.
Some ear protection would be nice too.
You've obviously never used Opera. Besides, you don't HAVE to buy it. If you can put up with a small, non-flashing banner ad, it's totally free as in beer.
TODO: Something witty here...
"Can somebody answer me why someone would buy a web bowser these days?"
I paid for Opera, and I have 0 regret about that. Opera has, in my opinion, the best user experience. (UI, etc...) Did I have to buy it? No. They have an ad-supported version for free. However, I would like to encourage them to continue down their road towards maintaining the best UI.
IE 6 is not significantly different from IE5. Though they're free, they do not provide the same evolution that Opera 7 has in relation to Opera 6. Unfortunately, when you aren't making money on your browser, what's your incentive to compete?
BTW, as long as you're using the Ad-supported version of a browser, you are, in a sense, paying for it. Might as well clear that up now.
There are workarounds it says until the patch, just turn off javascript.. that gets rid of 4 of 5 holes. 5th hole is plugged by changing
/\\/g, "\\\\" ) +
/\\/g, "\\\\").replace(/"/g,"")+
m.replace(
on line 52 of "console.html" in Opera's install dir with:
m.replace(
"That aint free. That's ADWARE. Crap I dont want on windows OR Linux."
Um. Why not?
The ads in Opera are not:
- Popups
- Spyware
- Intrusive
A small area of the interface has a banner. That's it. It doesn't do anything unless you click on it, and sometimes you even get cartoons up there!
I'd understand your attitude if the ads were like what Kazaa does, but that's not even close to the case here. It's no more than going to a site with a banner at the top. Only, in this case, the banner is up and out of the way and not part of the page itself.
My only nitpick about it is I wouldn't mind using that space to have more room for shortcuts etc. That'd be the big benefit to paying for it, really. The ads just aren't of much concern.
Furthermore, in an application - the problem of cohesion and coupling will forever rise. Unfortunately, many applications have modules that are heavily linked so when you ask "What isn't affected?", you aren't considering how many applications are programmed. Frankly, if module A is broken, in many, many cases where the design team was on the project for two weeks and the coding team never even talked to the design team, this would mean that B - F are also broken. I'm not saying this is a problem with Opera but some security flaws in a given module will often result in flaws being found in others.
I hate liberals. If you are a liberal, do not reply.
Opera didn't announce the exploits, idiot. They requested that the people who discovered them wait to announce them for TWO DAYS so that a fix could be released before the exploits became publicly known. The exploit discoverers did not comply. Opera did everything right, and it is impressive that they are working so fast and so hard to fix the problems.
Lack of eloquence does not denote lack of intelligence, though they often coincide.
I know it might not help much, but all Opera user should give Phoenix a shot.
:)
:) (yeah, kudos to Phoenix developers!)
I used Opera and I really like it very much as its efficiency and functionalities can really beat any other alternatives. However, I failed to get Java and flash work properly on Linux, it always has some glitches here and there. Opera works fine in this regard in Windows, though.
Then I gave Phoenix a try. To my surprise, not only java and flash works flawlessly, its performance is even comparable to Opera! Although it doesn't have the same functionalities I'd find in Opera, but I can install extensions to enhance its usabilities. Above all, it wouldn't give you annoying banner ad(yes I didnt pay for Opera
I just tell from my experience, and I've no association with Phoenix development team.
They're crazy I tells ya!
According to this forum thread, it said "Grey Magic looking at the alert said they informed Opera in Nov. of the problems in beta 1 of version 7. In beta 2 Opera thought they had fixed it but instead had only fixed part and not all. On Jan. 31 Grey Magic informed Opera of these problems in version 7 final , Opera asked for the to wait till Feb. 6 before announcing so that they could have it fixed , Grey Magic chose not to wait just 2 more days."
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
...that full disclosure of security issues is not in the publics interest. Opera has aggressively been working on the problems, and has released 7.01 which (AFAIK) fixes said problems. However, they did not have reasonable time to address each issue once found.
It's one thing when a company sits on an exploit for a month without even aknowledging it. It's another when a company acknowledges it, and requests a reasonable amount of time to make a fix, and regression test that fix. Sheeshe, give these guys a break - they patched very quickly and from what it looks like it's a stable patch.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Programmer1: Ouch! Somebody just discovered some security holes in our browser!
Programmer2: Yeah, I saw that too. I was working on it all morning, but I believe I've fixed all the outstanding issues in our code. Now we just need to notify our user base.
Programmer1: Yup. You gonna call him, or should I?
*RIMSHOT*
I'm a web developer running Win2K on all my dev machines. I run Opera, IE, Netscape and Phoenix on a daily basis. I paid for Opera 6. I paid for Opera 7 while it was still in beta. I paid for them because I believe any company who can fit something as comprehensive as Opera 7 into a 3Mb download deserve a little recognition, and at least now if it all goes wrong and Opera disappears into obscurity, I won't feel like it was my fault. :)
Technically, it has it's problems - although many of them aren't Opera's fault. Too many existing sites are developed for IE/Netscape instead of being built around standards. I fire up IE for non-Opera compatible sites at least a couple of times a day - online banking being the main culprit. And I still can't get my head around the Opera 7 mail client. Outlook Express ain't perfect, but at least I can find my mail...
Thing is, I *like* Opera. Opera's tabbed browsing is the best I've ever seen. Opera handles 99% of existing websites and about 1% of known security exploits. I like the interface, I like the philosophy behind it, I like the fact that it supports alpha-channel PNGs even though there's not a website on earth that uses them properly 'cos IE still won't support them. I like the fact that you can zoom a page visually as opposed to just enlarging the font size - really useful if you're running 1600x1200 on a 17" monitor and someone's hardcoded their text to be 8px high. And - to be perfectly frank - I just like the fact that *someone* is taking W3C standards seriously, and I think that's worth $39. In terms of hours-usage-per-dollar, Opera represents much better value for money than Quake III or Deus Ex, and I didn't feel like either of those ripped me off... :)
-- Open Source: It's mad, but you don't have to work here to help.
Wrote 'em an email complaining about their security-through-obscurity model, and had a reply back from a developer within ten minutes, pointing me to the FTP site with the fixed version...
:)
That's not a bad response at all, IMHO.
And no, I don't work for 'em - are they hiring at the moment?
I'm with you completely. I've been an Opera-fanboy since the 3.x-beta series. It just get more things right than other browsers -- and I'm continually looking at the alternatives (inkl. Mozilla, Phoenix and Konq), but the feeling isn'ty there.
There's small things that I need, like the forward/backward gestures, I need my "tabs" at the bottom of the screen (the ones in Moz just looks and feels wrong). Any browser I use must absolutely be able to maintain state between sessions. I'm constantly using features like shift+ctrl+click, reload-every-X-min. I also use the mail-client and I want it on to the left of my browser window (integrated, just like it is in Opera).
Unfortunately the Opera 7.0 release was way b0rken for me, but if they can ship one or two updates more (basically I couldn't use the email client, I was getting SSL_write() errors in my server log and messages never went out (and Opera didn't mention a thing!). That's bad, but if they can fix it then Opera 7 might become the best thing since Opera 6.05 which I'm back to using now.
The only thing I truly lack in Opera now is a "developer raw tab" where I could see the HTTP requests and answers in the-raw, with a quick toggle between ASCII vs Hex+ASCII.
Other than that I guess a bit better control over plugins (enable/disable) would be nice. Don't remember if that's fixed in 7, but in the 6-series you'll have to much around a plugins-ignore.ini which is only read on startup.
And oh, seeing the raw message+headers in the mail client. Where did that go? There was this odd hidden function (ctrl+shift+y or something) to copy the headers to the C'n'P-buffer, but...
Opera software, if you're reading this; Fix the mail client and I'll give you more of my money.
Belief is the currency of delusion.
Maybe 24 hours since it's been reported here, but look at the error reports, the latest report is dated January 29th, the earliest is from November (a variant of the hole in question).
I can't think of a single pice of software that meets those conditions. Not Linux, XFree86, KDE, GNOME, BSD, Apache, or even Hurd. Perhaps you should look up the true meaning of "public domain" (and possibly read the GPL).
It's hard to be religious when certain people are never incinerated by bolts of lightning.
For the alpha previews of their unix versions, go here.
Escher was the first MC and Giger invented the HR department.
Um. Why not?
The ads in Opera are not:
- Popups
- Spyware
- Intrusive
And the way the Web is nowadays, they just blend into the background!
Let me explain: Opera have shown their willingness to innovate and add new features to their browser. And they're good at it. Many of their ideas are very useful, *and* they're designed to benefit the user rather than create new "standards" to try and lock in developers.
Opera promoted the ideas of tabbed browsing and mouse gestures, ideas that were taken up by many Gecko-based browsers. The new release adds and intelligent "forward" button, understanding of navigational META tags, and small screen rendering.
If you watch Moz and Phoenix, you will see the influence of Opera - for example, the demand for Opera-style "rocker" gestures (using mouse button combos rather than movement) to be added to the gesture extensions.
Now, I'm not saying that Open Source projects should only clone and never innovate - and in fact, there are many innovations in Mozilla (pie menu navigation and type ahead find, for example). But Opera is a useful source of good interface ideas, and the company is not taking out bogus patents to "protect" them.
I'm a medical doctor.
My desktop computer is critical.
I need to look up stuff from our internal and external knowledge stores like the Dermatology advice (no URL offered by me!), and national electronic library for health GP Notebook and the US NIH, University of Iowa virtual hospital, that sort of stuff, while I'm dealing with patients.
In due course I may need to order (we say request) tests or further opinions which are accessed via a browser.
I think I need a browser on my critical computer.
I can do it by using the VNC session I maintain to the Linux machine on the network, and running the browser on that, but that makes cut and paste, and triggering a browser from a database noticeably more difficult.
First of all, let me make it clear that I would rather not pay for something if I can get it for free. Having said that the reasons I paid for Opera are:
1.Tabs
Say what you may about Knoq, phoenix having tabbed browsing. But Opera what the first and does now has even more tabbed features with ability to save tab sessions.
2. Gestures:
This is first to market and most elegant and intuitive gestures than the Moz plugin which caused me unpredicatable or inintentional behaviors with the gestures.
3. Kickass Download manager
The best download integration with browser. Stop start resume, etc,, With the new version you can download all the links in a page in just one operation.
4. Memory and Speed:
My normal usage takes only 20MB(I have 12 tabs open usually mostly java documentation that I can easily access) on minimizing it takes only 7MB.
5. Search integration
Believe it the searching google, amazon or ebay or your custom configuration is far superior to any browser out there.
Only negative I have is the rendering of pages. For example Yahoo! Mail had pull down menu. But I can't get it to work in Opera given that Yahoo! is a megaplex on the web.
So give it a try and you'll never turn back just I did.
If it makes your life better thank Opera team and you'll be better for it.