Opera Security Patched In Secret

An anonymous reader writes "Opera 9.10 released in December seemed to be a rather cosmetic update. But as heise Security reports, behind the scenes Opera patched two remote code execution holes — neither of them mentioned in the changelog. In addition, Opera rates an exploitable heap overflow as 'moderate' because it is 'not trivial to exploit it reliably'. From the article: 'JPEG images can be specially prepared to cause a buffer overflow on the heap. Even though Opera suggests in the heading to its security notice that this problem only causes the browser to crash, the flaw can nonetheless be exploited to inject and execute code. Security service provider iDefense, which reported the hole to Opera, has confirmed this. The same holds true for a flawed type conversion in the JavaScript support for Scalable Vector Graphics (SVG). Attackers can specially call the function createSVGTransformFromMatrix to have the browser execute code with the user's rights.'"

patched in secret

[dingDaShan]

Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

Re:patched in secret

[(H)elix1]

Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

Good question. If I see an upgrade that adds functionality, I might just skip it. More often than not, the latest greatest just adds stuff I don't care about. If it is a security update, it always gets updated. I would potentially be exposed because I might not care about 'new themes', etc.

Re:patched in secret

[electrosoccertux]

Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)? Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?

The least they could do is say "we patched two security holes, but we won't tell you what they are". Doing anything more secret looks immediately suspicious.

Re:patched in secret

[Kelson]

Keep in mind that the article's sources include security bulletins released by Opera. It's not that they didn't disclose them at all, it's that they waited until the fix had been out for ~3 weeks before disclosing them.

Re:patched in secret

[Kjella]

Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?

To get the patched version distributed and installed in a majority of your userbase. It doesn't work that well for open source software because you can diff the source, but it does tend to buy a little time for closed source software if hackers are using your own security bulletins to create the exploit. I think even OpenSSH has used the "you should urgently upgrade to the latest version, but we won't tell you why" to the same effect. But, and this is a big BUT, you shouldn't rely on users upgrading just for the hell of it. You need to tell them this contains critical security fixes, upgrade NOW. That doesn't mean you need to tell hackers exactly where the flaw is.

Re:patched in secret

[causality]

The solution to that, AC, is to describe the update as both "New Themes!" etc. and "Better Security" so that the "Ohh, Shiny!" crowd who think security does not matter will appreciate the new themes and download the update, while those who are more pragmatic will see that this is, in fact, also a security update and will apply it for that reason. This could only increase the overall acceptance of the patch.

Given how easily this could have been done, there simply is no justification for the secrecy. The most likely reason why they would have done it is some selfish attempt to save face (Who us? Exploitable? Nah....). While this is slightly better than the Microsoft method of "buy our next version, it'll be fixed in that one", it is definitely less than optimal.

Security is important -- just ask any victim of identity theft. No matter which browser you use, mistakes will be made, and flaws will be found; this is common to any complex piece of software. Therefore what distinguishes one from the others is the openness of this process, the willingness to admit and redress failures, and the promptness with which this is done. I am quite satisfied with Firefox, but if I were looking for a new browser, this little incident would immediately make me distrust Opera and I would make it a point to look elsewhere.

Re:patched in secret

[QuietLagoon]

I was not planning to upgrade to Opera 9.10 because I didn't see the need to deal with the update just to get some minor new features.

Now I find out that my web browsing has made my PC vulnerable to exploits because Opera did not inform me of the security fix in the 9.10 version. Had I known about the security fix, I would have updated immediately.

This is not a good situation for Opera. It shows they have a total disregard for the security of my PC. What other security issues are lurking in the Opera browser? Why isn't Opera telling us about them?

Re:patched in secret

[causality]

First, is it genetically impossible for slashdotters to discuss someting without bringing MS into it? Microsoft has nothing to do with this issue, idiot. Second, WFT are you talking about? Since when has Microsoft charged for fixes to IE, moron?

Relax. As you yourself point out, Microsoft is often mentioned here. Therefore, the Microsoft reference was a well-known, and thus easily-utilized, example. Also, the implied example was along the lines of reasons given for upgrading from Windows 98 to XP, and now from XP to Vista, all of which do cost money. That Microsoft also fixes other software without charge does not invalidate this example, since no claim was made that Microsoft never uses any other tactic. However, if you have some kind of ultra-sensitivity, I suppose you could invent such a claim in your own perception, but in that case why call me the idiot?

Not sold as cosmetic

[Kelson]

The article claims that:

Instead, the release seems to have been sold as a cosmetic matter, which may have led a number of users to postpone the update.

The major focus for promoting 9.10 release, at least in everything I read, was the new fraud protection feature. Even though it was turned off by default. Otherwise it was all about stability.

On the plus side, Opera did fix these vulnerabilities, and quickly. So it's not like they left people completely unprotected. But considering that the changelog had a security section, you'd think, even if they weren't going to disclose the details just yet, that they'd include a note about "Additional security fixes to be disclosed soon."

All that said, I occasionally encounter people on the Opera forums who insist on running Opera 8 (or older) because they think it's "more stable." It's an uphill fight to convince them to run Opera 9, even when they complain about some site that doesn't work on the older version. Known security issues didn't get them to upgrade to 9.0, so I wouldn't expect it to convince them to upgrade to 9.10.

Yea, What He Said???

[Slugster]

What's wrong with "security through obscurity" and closed-source code?

After all, they wouldn't try to make a bad product (or a product that does things you don't like), would they?
~

Re:Yea, What He Said???

[lpq]

Security through obscurity? Does not apply. It would be if the vendor had not fixed the problem and was relying on obscurity of the bug to protect users. Instead they fixed the bug. Sounds like Security Through Fixing It; not as great as Secure By Design though.

Wii

[neomunk]

I don't know anything about Wii modding (except that some fine work is being done in the wiimote-pc area) but doesn't the Wii use Opera? Is this going to help in cracking any trusted executable protection I assume (maybe incorrectly) they've used to foil pirates/legitimate backup makers?

Re:Wii

[jpardey]

Good point. Also, if your Wii has a camera attached, hackers could watch your camera, and trigger your Wii controller to vibrate at precisely the right time to frighten your dog into leaping into your grandmother, killing her.

The best way to correct this flaw is to have no grandmothers. I have nothing to worry about.

Re:But Opera is perfect!

If you think perfectness is without holes, you're not dating much.

OMG

[phrostie]

i bet Microsoft wouldn't do that.
they would be 100% honest with us

Re:But Opera is perfect!

[gardyloo]

If you think perfectness is without holes, you're not dating much.

      Topologically, what you're talking about isn't a hole, it's just an invagination. Oh, wait -- you mean *those* holes. OK, then I agree.

embedded Opera also subject to these two things?

[artifex2004]

I wonder if they tried to hide some of these because there may be devices with embedded Opera that can't be upgraded.

Re:But Opera is perfect!

[kfg]

It can't have holes!

Opera is not responsible for the state of its users.

KFG

Why be secretive?

[Rosco+P.+Coltrane]

The truth is, Opera has such small share of the browser market that it just doesn't matter if the entire world knows about a remote exec hole or not: no cracker or pirate is going to code for such a small fish.

What's more, by not disclosing vulnerabilities and coding being the back of the users, it just makes the development team look like they've acquired their development habbits at Microsoft.

So I'd say Opera loses by hiding this...

Opera wouldn't be the only product...

[kiwioddBall]

I'm sure nearly every downloadable product patches security flaws in secret. Fixing a bug just isn't worth making a big song and dance about in a large number of cases. Secondly, the slashdot article assumes that it is known how to exploit a software bug. It is is extremely hard to work out all the possible ways to exploit a software bug. It is a lot easier to just fix the issue.

The only reason this article was written is because someone actually disovered a security bug that had been fixed but not reported in Opera. This is absolutely no reason to slam Opera. Just becasue the writer found out about it is no reason at all. You're only hurting Opera because they fix security issues. The same argument could apply to Internet Explorer (spare me any IE flaming please).

Thirdly, Opera is not the most widely used browser. The fact is that any bug in Opera is not likely to be worth the time to exploit. Any exploit would only have a very remote chance of actually taking place. You have to lure someone to view your specially crafted JPG, and secondly they have to be using Opera to do it. Not very likely.

In summary, more FUD on Slashdot.

dev blogs and such

[XO]

They've certainly made no secret about it in the dev blogs, and other places. I think the problem just lies in a minor disconnect between what the people writing the changelogs as being important, and what the slashdot people see as important.

Opera needs better public changelogs, and could use an improved bug tracking system on the public side, but other than that it's a damn fine browser.

Re:dev blogs and such

[richlv]

oh, i know opera people will be reading this thread ;)
please, please give us an open bugzilla. that will benefit you and that will benefit your users - problems will not be reported 10 times, only 2 or 3 ;), they will be reproduced and confirmed by more people and so on.

if you feel that some bugs (like security problems) would be much better handled in a non-public way - hey, most security researchers know how to contact security@whatever.org - and you probably could do what novell are doing - a checkbox in a bug submitting form "this should be viewable only by opera" and so on.

You deserve to control your computer.

[jbn-o]

It helps illustrate how untrustworthy proprietary software is by default and why you should not promote or run proprietary software. How many other things are proprietors leaving out of their changelogs (assuming they publish them at all)? With free software you don't have to guess because you're given the freedoms you need to do the work yourself or get someone else to help you.

Users deserve software freedom.

Re:You deserve to control your computer.

[jbn-o]

Free software cannot be proprietary. In fact, it is the free software movement's proponents who argue that proprietary software is unethical and has no place in society. The only time the folks at the FSF install proprietary software is when they're working on a free replacement program. A user's freedoms to run, inspect, share, and modify software are the freedoms all computer users must have. The reason why we need these freedoms are ethical issues which the free software movement identifies and pursues as such, raising issues of social solidarity to make their point.

By contrast, the open source movement argues for an increase in developmental efficiency and never discusses social solidarity. This technocratic message not only carries no weight with most computer users (who aren't developers), it stresses the quality of the programming over what users are allowed to do with a copy of the program once they get it. This is why a few OSI-approved licenses are considered non-free (such as the v1.x revisions of the Apple Public Source License)—the criteria for acceptance comes from the movements' different philosophies. This is also why open source proponents sometimes side with proprietors—running proprietary video drivers instead of switching to other hardware or simply doing without the fancy 3D graphics; setting up repositories where users can more easily acquire copies of proprietary software (like the Ubuntu GNU/Linux repo which carries Opera, among other proprietary programs). Some open source movement proponents even drop the pursuit of technical superiority when faced with an argument of popularity, which is why some endorse the use of the patent-encumbered MP3 lossy audio codec when Ogg Vorbis is not only technically superior (as demonstrated in numerous blind listening tests) but has objectively better tagging. Open source proponents have no means to argue against technically superior programs even when the license for those programs hold users separate and helpless to control their own computers.

Years ago, Richard Stallman wrote about the difference between the two movements. More recently, he addressed this difference when he spoke at the fifth international GPLv3 conference in Tokyo in 2006. One interesting consequence of the differences is what you have to start with if you want the social solidarity the free software movement champions as well as powerful reliable software.

So if I am offered a choice between a proprietary program which is powerful and reliable and a free program which is not, I choose the free program because that I can do in freedom. I'd rather make some practical sacrifices to reject oppression.

But suppose you want both? Suppose you want freedom and solidarity, and you want powerful reliable software? How can you get it? You can't get that starting with the powerful, reliable, proprietary program because there is no way you can liberate that program. The only way you can get that, your ideal goal, is to start from the free program, technically inadequate as it may be, because you do have the option of improving it. That is the only path that can possibly ever get you to your ideal situation. Insist on freedom and make the program better.

Finally, it's important to not conflate the difference between freedom and skill. Freedom has to do with permission. I have the freedom to criticize my government even though I can't write as well as the man whose pen name was William Shakespeare. I could choose to spend more time reading and learning to write better, as he did. My lack of skill does not in any way justify denying me my freedom of speech. So how well I can do this task, how well others I trust can do it, doesn't enter into the situation.