Slashdot Mirror

← Back to Stories (view on slashdot.org)

Opera Security Patched In Secret

Posted by Zonk on from the on-the-downlow dept.

An anonymous reader writes "Opera 9.10 released in December seemed to be a rather cosmetic update. But as heise Security reports, behind the scenes Opera patched two remote code execution holes — neither of them mentioned in the changelog. In addition, Opera rates an exploitable heap overflow as 'moderate' because it is 'not trivial to exploit it reliably'. From the article: 'JPEG images can be specially prepared to cause a buffer overflow on the heap. Even though Opera suggests in the heading to its security notice that this problem only causes the browser to crash, the flaw can nonetheless be exploited to inject and execute code. Security service provider iDefense, which reported the hole to Opera, has confirmed this. The same holds true for a flawed type conversion in the JavaScript support for Scalable Vector Graphics (SVG). Attackers can specially call the function createSVGTransformFromMatrix to have the browser execute code with the user's rights.'"

6 of 88 comments (clear)

  1. Not sold as cosmetic by Kelson · · Score: 4, Interesting

    The article claims that:

    Instead, the release seems to have been sold as a cosmetic matter, which may have led a number of users to postpone the update.

    The major focus for promoting 9.10 release, at least in everything I read, was the new fraud protection feature. Even though it was turned off by default. Otherwise it was all about stability.

    On the plus side, Opera did fix these vulnerabilities, and quickly. So it's not like they left people completely unprotected. But considering that the changelog had a security section, you'd think, even if they weren't going to disclose the details just yet, that they'd include a note about "Additional security fixes to be disclosed soon."

    All that said, I occasionally encounter people on the Opera forums who insist on running Opera 8 (or older) because they think it's "more stable." It's an uphill fight to convince them to run Opera 9, even when they complain about some site that doesn't work on the older version. Known security issues didn't get them to upgrade to 9.0, so I wouldn't expect it to convince them to upgrade to 9.10.

  2. Wii by neomunk · · Score: 3, Interesting

    I don't know anything about Wii modding (except that some fine work is being done in the wiimote-pc area) but doesn't the Wii use Opera? Is this going to help in cracking any trusted executable protection I assume (maybe incorrectly) they've used to foil pirates/legitimate backup makers?

  3. Re:patched in secret by Anonymous Coward · · Score: 1, Interesting
    Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

    Than if it's good for Opera, is it OK for M$ as well?

  4. embedded Opera also subject to these two things? by artifex2004 · · Score: 4, Interesting

    I wonder if they tried to hide some of these because there may be devices with embedded Opera that can't be upgraded.

  5. Re:patched in secret by causality · · Score: 4, Interesting

    The solution to that, AC, is to describe the update as both "New Themes!" etc. and "Better Security" so that the "Ohh, Shiny!" crowd who think security does not matter will appreciate the new themes and download the update, while those who are more pragmatic will see that this is, in fact, also a security update and will apply it for that reason. This could only increase the overall acceptance of the patch.

    Given how easily this could have been done, there simply is no justification for the secrecy. The most likely reason why they would have done it is some selfish attempt to save face (Who us? Exploitable? Nah....). While this is slightly better than the Microsoft method of "buy our next version, it'll be fixed in that one", it is definitely less than optimal.

    Security is important -- just ask any victim of identity theft. No matter which browser you use, mistakes will be made, and flaws will be found; this is common to any complex piece of software. Therefore what distinguishes one from the others is the openness of this process, the willingness to admit and redress failures, and the promptness with which this is done. I am quite satisfied with Firefox, but if I were looking for a new browser, this little incident would immediately make me distrust Opera and I would make it a point to look elsewhere.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  6. Re:patched in secret by QuietLagoon · · Score: 3, Interesting
    I was not planning to upgrade to Opera 9.10 because I didn't see the need to deal with the update just to get some minor new features.

    Now I find out that my web browsing has made my PC vulnerable to exploits because Opera did not inform me of the security fix in the 9.10 version. Had I known about the security fix, I would have updated immediately.

    This is not a good situation for Opera. It shows they have a total disregard for the security of my PC. What other security issues are lurking in the Opera browser? Why isn't Opera telling us about them?