Opera Security Patched In Secret

An anonymous reader writes "Opera 9.10 released in December seemed to be a rather cosmetic update. But as heise Security reports, behind the scenes Opera patched two remote code execution holes — neither of them mentioned in the changelog. In addition, Opera rates an exploitable heap overflow as 'moderate' because it is 'not trivial to exploit it reliably'. From the article: 'JPEG images can be specially prepared to cause a buffer overflow on the heap. Even though Opera suggests in the heading to its security notice that this problem only causes the browser to crash, the flaw can nonetheless be exploited to inject and execute code. Security service provider iDefense, which reported the hole to Opera, has confirmed this. The same holds true for a flawed type conversion in the JavaScript support for Scalable Vector Graphics (SVG). Attackers can specially call the function createSVGTransformFromMatrix to have the browser execute code with the user's rights.'"

Targeted attacks

I work in corporate security at a household-name dotcom. The big news story from 2006 was the dramatic increase in targeted attacks. These are small runs of unique malware (usually variants of well-known classes such as SDBot, SpyBot etc, tweaked until they get past desktop a/v software, though there's also been a significant reduction in time from bug to malware, and of 0days found in use in the wild - signs of increasing technical sophistication of the malware authors) which are used to attack a small range of companies, or even a specific company. The idea is that there aren't enough samples in circulation to register on the radar of the traditional a/v companies. End-users in large corporates are used to the idea that IT keeps their A/V up to date, and they have decent firewalls and so on, and that false sense of security is their undoing. The targeted nature of the attacks means that the attacker can spend more time researching the victim company (getting the names of senior managers, for instance, to help with the social-engineering text to which the malicious Word doc is attached. Sooner or later a specific company is going to lose significant amounts of money, and eventually investors (and analysts) will wake up to the importance of REAL security, rather than the "we have a firewall and a/v, and we roll out Microsoft patches within a couple of weeks of Patch Tuesday. Why should we worry?" attitude which even very large organisations get by with. (This stance would have been called "best practice" five or six years ago, when every Windows server had half a dozen remote unauthenticated root vulns in network services. These days, client software is the vector of choice -- audio and video files, word processing, spreadsheet and presentation documents, that sort of thing.

(There's also been an outbreak of "geek spam" (phishing, typically) containing technical jargon in an attempt to get under IT geeks' radar, but that's a story for another day... Don't be fooled! :)

Re:patched in secret

[Kelson]

Keep in mind that the article's sources include security bulletins released by Opera. It's not that they didn't disclose them at all, it's that they waited until the fix had been out for ~3 weeks before disclosing them.

Re:patched in secret

[Kjella]

Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?

To get the patched version distributed and installed in a majority of your userbase. It doesn't work that well for open source software because you can diff the source, but it does tend to buy a little time for closed source software if hackers are using your own security bulletins to create the exploit. I think even OpenSSH has used the "you should urgently upgrade to the latest version, but we won't tell you why" to the same effect. But, and this is a big BUT, you shouldn't rely on users upgrading just for the hell of it. You need to tell them this contains critical security fixes, upgrade NOW. That doesn't mean you need to tell hackers exactly where the flaw is.

Re:You deserve to control your computer.

[jbn-o]

Free software cannot be proprietary. In fact, it is the free software movement's proponents who argue that proprietary software is unethical and has no place in society. The only time the folks at the FSF install proprietary software is when they're working on a free replacement program. A user's freedoms to run, inspect, share, and modify software are the freedoms all computer users must have. The reason why we need these freedoms are ethical issues which the free software movement identifies and pursues as such, raising issues of social solidarity to make their point.

By contrast, the open source movement argues for an increase in developmental efficiency and never discusses social solidarity. This technocratic message not only carries no weight with most computer users (who aren't developers), it stresses the quality of the programming over what users are allowed to do with a copy of the program once they get it. This is why a few OSI-approved licenses are considered non-free (such as the v1.x revisions of the Apple Public Source License)—the criteria for acceptance comes from the movements' different philosophies. This is also why open source proponents sometimes side with proprietors—running proprietary video drivers instead of switching to other hardware or simply doing without the fancy 3D graphics; setting up repositories where users can more easily acquire copies of proprietary software (like the Ubuntu GNU/Linux repo which carries Opera, among other proprietary programs). Some open source movement proponents even drop the pursuit of technical superiority when faced with an argument of popularity, which is why some endorse the use of the patent-encumbered MP3 lossy audio codec when Ogg Vorbis is not only technically superior (as demonstrated in numerous blind listening tests) but has objectively better tagging. Open source proponents have no means to argue against technically superior programs even when the license for those programs hold users separate and helpless to control their own computers.

Years ago, Richard Stallman wrote about the difference between the two movements. More recently, he addressed this difference when he spoke at the fifth international GPLv3 conference in Tokyo in 2006. One interesting consequence of the differences is what you have to start with if you want the social solidarity the free software movement champions as well as powerful reliable software.

So if I am offered a choice between a proprietary program which is powerful and reliable and a free program which is not, I choose the free program because that I can do in freedom. I'd rather make some practical sacrifices to reject oppression.

But suppose you want both? Suppose you want freedom and solidarity, and you want powerful reliable software? How can you get it? You can't get that starting with the powerful, reliable, proprietary program because there is no way you can liberate that program. The only way you can get that, your ideal goal, is to start from the free program, technically inadequate as it may be, because you do have the option of improving it. That is the only path that can possibly ever get you to your ideal situation. Insist on freedom and make the program better.

Finally, it's important to not conflate the difference between freedom and skill. Freedom has to do with permission. I have the freedom to criticize my government even though I can't write as well as the man whose pen name was William Shakespeare. I could choose to spend more time reading and learning to write better, as he did. My lack of skill does not in any way justify denying me my freedom of speech. So how well I can do this task, how well others I trust can do it, doesn't enter into the situation.

Re:dev blogs and such

[richlv]

oh, i know opera people will be reading this thread ;)
please, please give us an open bugzilla. that will benefit you and that will benefit your users - problems will not be reported 10 times, only 2 or 3 ;), they will be reproduced and confirmed by more people and so on.

if you feel that some bugs (like security problems) would be much better handled in a non-public way - hey, most security researchers know how to contact security@whatever.org - and you probably could do what novell are doing - a checkbox in a bug submitting form "this should be viewable only by opera" and so on.