Slashdot Mirror

← Back to Stories (view on slashdot.org)

Opera Security Patched In Secret

Posted by Zonk on from the on-the-downlow dept.

An anonymous reader writes "Opera 9.10 released in December seemed to be a rather cosmetic update. But as heise Security reports, behind the scenes Opera patched two remote code execution holes — neither of them mentioned in the changelog. In addition, Opera rates an exploitable heap overflow as 'moderate' because it is 'not trivial to exploit it reliably'. From the article: 'JPEG images can be specially prepared to cause a buffer overflow on the heap. Even though Opera suggests in the heading to its security notice that this problem only causes the browser to crash, the flaw can nonetheless be exploited to inject and execute code. Security service provider iDefense, which reported the hole to Opera, has confirmed this. The same holds true for a flawed type conversion in the JavaScript support for Scalable Vector Graphics (SVG). Attackers can specially call the function createSVGTransformFromMatrix to have the browser execute code with the user's rights.'"

16 of 88 comments (clear)

  1. patched in secret by dingDaShan · · Score: 5, Insightful

    Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

    1. Re:patched in secret by (H)elix1 · · Score: 5, Insightful

      Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

      Good question. If I see an upgrade that adds functionality, I might just skip it. More often than not, the latest greatest just adds stuff I don't care about. If it is a security update, it always gets updated. I would potentially be exposed because I might not care about 'new themes', etc.

      --
      +++ UGUCAUCGUAUUUCU
    2. Re:patched in secret by electrosoccertux · · Score: 4, Insightful

      Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)? Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?

      The least they could do is say "we patched two security holes, but we won't tell you what they are". Doing anything more secret looks immediately suspicious.
    3. Re:patched in secret by Kelson · · Score: 4, Informative

      Keep in mind that the article's sources include security bulletins released by Opera. It's not that they didn't disclose them at all, it's that they waited until the fix had been out for ~3 weeks before disclosing them.

    4. Re:patched in secret by Kjella · · Score: 4, Informative

      Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?

      To get the patched version distributed and installed in a majority of your userbase. It doesn't work that well for open source software because you can diff the source, but it does tend to buy a little time for closed source software if hackers are using your own security bulletins to create the exploit. I think even OpenSSH has used the "you should urgently upgrade to the latest version, but we won't tell you why" to the same effect. But, and this is a big BUT, you shouldn't rely on users upgrading just for the hell of it. You need to tell them this contains critical security fixes, upgrade NOW. That doesn't mean you need to tell hackers exactly where the flaw is.

      --
      Live today, because you never know what tomorrow brings
    5. Re:patched in secret by causality · · Score: 4, Interesting

      The solution to that, AC, is to describe the update as both "New Themes!" etc. and "Better Security" so that the "Ohh, Shiny!" crowd who think security does not matter will appreciate the new themes and download the update, while those who are more pragmatic will see that this is, in fact, also a security update and will apply it for that reason. This could only increase the overall acceptance of the patch.

      Given how easily this could have been done, there simply is no justification for the secrecy. The most likely reason why they would have done it is some selfish attempt to save face (Who us? Exploitable? Nah....). While this is slightly better than the Microsoft method of "buy our next version, it'll be fixed in that one", it is definitely less than optimal.

      Security is important -- just ask any victim of identity theft. No matter which browser you use, mistakes will be made, and flaws will be found; this is common to any complex piece of software. Therefore what distinguishes one from the others is the openness of this process, the willingness to admit and redress failures, and the promptness with which this is done. I am quite satisfied with Firefox, but if I were looking for a new browser, this little incident would immediately make me distrust Opera and I would make it a point to look elsewhere.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    6. Re:patched in secret by QuietLagoon · · Score: 3, Interesting
      I was not planning to upgrade to Opera 9.10 because I didn't see the need to deal with the update just to get some minor new features.

      Now I find out that my web browsing has made my PC vulnerable to exploits because Opera did not inform me of the security fix in the 9.10 version. Had I known about the security fix, I would have updated immediately.

      This is not a good situation for Opera. It shows they have a total disregard for the security of my PC. What other security issues are lurking in the Opera browser? Why isn't Opera telling us about them?

  2. Not sold as cosmetic by Kelson · · Score: 4, Interesting

    The article claims that:

    Instead, the release seems to have been sold as a cosmetic matter, which may have led a number of users to postpone the update.

    The major focus for promoting 9.10 release, at least in everything I read, was the new fraud protection feature. Even though it was turned off by default. Otherwise it was all about stability.

    On the plus side, Opera did fix these vulnerabilities, and quickly. So it's not like they left people completely unprotected. But considering that the changelog had a security section, you'd think, even if they weren't going to disclose the details just yet, that they'd include a note about "Additional security fixes to be disclosed soon."

    All that said, I occasionally encounter people on the Opera forums who insist on running Opera 8 (or older) because they think it's "more stable." It's an uphill fight to convince them to run Opera 9, even when they complain about some site that doesn't work on the older version. Known security issues didn't get them to upgrade to 9.0, so I wouldn't expect it to convince them to upgrade to 9.10.

  3. Yea, What He Said??? by Slugster · · Score: 4, Insightful

    What's wrong with "security through obscurity" and closed-source code?

    After all, they wouldn't try to make a bad product (or a product that does things you don't like), would they?
    ~

    1. Re:Yea, What He Said??? by lpq · · Score: 3, Funny

      Security through obscurity? Does not apply. It would be if the vendor had not fixed the problem and was relying on obscurity of the bug to protect users. Instead they fixed the bug. Sounds like Security Through Fixing It; not as great as Secure By Design though.

  4. Wii by neomunk · · Score: 3, Interesting

    I don't know anything about Wii modding (except that some fine work is being done in the wiimote-pc area) but doesn't the Wii use Opera? Is this going to help in cracking any trusted executable protection I assume (maybe incorrectly) they've used to foil pirates/legitimate backup makers?

    1. Re:Wii by jpardey · · Score: 4, Funny

      Good point. Also, if your Wii has a camera attached, hackers could watch your camera, and trigger your Wii controller to vibrate at precisely the right time to frighten your dog into leaping into your grandmother, killing her.

      The best way to correct this flaw is to have no grandmothers. I have nothing to worry about.

      --
      I have freaks! I did something right...
  5. embedded Opera also subject to these two things? by artifex2004 · · Score: 4, Interesting

    I wonder if they tried to hide some of these because there may be devices with embedded Opera that can't be upgraded.

  6. Why be secretive? by Rosco+P.+Coltrane · · Score: 3, Insightful

    The truth is, Opera has such small share of the browser market that it just doesn't matter if the entire world knows about a remote exec hole or not: no cracker or pirate is going to code for such a small fish.

    What's more, by not disclosing vulnerabilities and coding being the back of the users, it just makes the development team look like they've acquired their development habbits at Microsoft.

    So I'd say Opera loses by hiding this...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  7. Opera wouldn't be the only product... by kiwioddBall · · Score: 3, Insightful

    I'm sure nearly every downloadable product patches security flaws in secret. Fixing a bug just isn't worth making a big song and dance about in a large number of cases. Secondly, the slashdot article assumes that it is known how to exploit a software bug. It is is extremely hard to work out all the possible ways to exploit a software bug. It is a lot easier to just fix the issue.

    The only reason this article was written is because someone actually disovered a security bug that had been fixed but not reported in Opera. This is absolutely no reason to slam Opera. Just becasue the writer found out about it is no reason at all. You're only hurting Opera because they fix security issues. The same argument could apply to Internet Explorer (spare me any IE flaming please).

    Thirdly, Opera is not the most widely used browser. The fact is that any bug in Opera is not likely to be worth the time to exploit. Any exploit would only have a very remote chance of actually taking place. You have to lure someone to view your specially crafted JPG, and secondly they have to be using Opera to do it. Not very likely.

    In summary, more FUD on Slashdot.

  8. You deserve to control your computer. by jbn-o · · Score: 3, Funny

    It helps illustrate how untrustworthy proprietary software is by default and why you should not promote or run proprietary software. How many other things are proprietors leaving out of their changelogs (assuming they publish them at all)? With free software you don't have to guess because you're given the freedoms you need to do the work yourself or get someone else to help you.

    Users deserve software freedom.

    --
    Digital Citizen