Slashdot Mirror

← Back to Stories (view on slashdot.org)

Opera Security Patched In Secret

Posted by Zonk on from the on-the-downlow dept.

An anonymous reader writes "Opera 9.10 released in December seemed to be a rather cosmetic update. But as heise Security reports, behind the scenes Opera patched two remote code execution holes — neither of them mentioned in the changelog. In addition, Opera rates an exploitable heap overflow as 'moderate' because it is 'not trivial to exploit it reliably'. From the article: 'JPEG images can be specially prepared to cause a buffer overflow on the heap. Even though Opera suggests in the heading to its security notice that this problem only causes the browser to crash, the flaw can nonetheless be exploited to inject and execute code. Security service provider iDefense, which reported the hole to Opera, has confirmed this. The same holds true for a flawed type conversion in the JavaScript support for Scalable Vector Graphics (SVG). Attackers can specially call the function createSVGTransformFromMatrix to have the browser execute code with the user's rights.'"

4 of 88 comments (clear)

  1. patched in secret by dingDaShan · · Score: 5, Insightful

    Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

    1. Re:patched in secret by (H)elix1 · · Score: 5, Insightful

      Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

      Good question. If I see an upgrade that adds functionality, I might just skip it. More often than not, the latest greatest just adds stuff I don't care about. If it is a security update, it always gets updated. I would potentially be exposed because I might not care about 'new themes', etc.

      --
      +++ UGUCAUCGUAUUUCU
    2. Re:patched in secret by electrosoccertux · · Score: 4, Insightful

      Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)? Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?

      The least they could do is say "we patched two security holes, but we won't tell you what they are". Doing anything more secret looks immediately suspicious.
  2. Yea, What He Said??? by Slugster · · Score: 4, Insightful

    What's wrong with "security through obscurity" and closed-source code?

    After all, they wouldn't try to make a bad product (or a product that does things you don't like), would they?
    ~