Slashdot Mirror

← Back to Stories (view on slashdot.org)

Opera Security Patched In Secret

Posted by Zonk on from the on-the-downlow dept.

An anonymous reader writes "Opera 9.10 released in December seemed to be a rather cosmetic update. But as heise Security reports, behind the scenes Opera patched two remote code execution holes — neither of them mentioned in the changelog. In addition, Opera rates an exploitable heap overflow as 'moderate' because it is 'not trivial to exploit it reliably'. From the article: 'JPEG images can be specially prepared to cause a buffer overflow on the heap. Even though Opera suggests in the heading to its security notice that this problem only causes the browser to crash, the flaw can nonetheless be exploited to inject and execute code. Security service provider iDefense, which reported the hole to Opera, has confirmed this. The same holds true for a flawed type conversion in the JavaScript support for Scalable Vector Graphics (SVG). Attackers can specially call the function createSVGTransformFromMatrix to have the browser execute code with the user's rights.'"

10 of 88 comments (clear)

  1. patched in secret by dingDaShan · · Score: 5, Insightful

    Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

    1. Re:patched in secret by (H)elix1 · · Score: 5, Insightful

      Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

      Good question. If I see an upgrade that adds functionality, I might just skip it. More often than not, the latest greatest just adds stuff I don't care about. If it is a security update, it always gets updated. I would potentially be exposed because I might not care about 'new themes', etc.

      --
      +++ UGUCAUCGUAUUUCU
    2. Re:patched in secret by electrosoccertux · · Score: 4, Insightful

      Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)? Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?

      The least they could do is say "we patched two security holes, but we won't tell you what they are". Doing anything more secret looks immediately suspicious.
    3. Re:patched in secret by Kelson · · Score: 4, Informative

      Keep in mind that the article's sources include security bulletins released by Opera. It's not that they didn't disclose them at all, it's that they waited until the fix had been out for ~3 weeks before disclosing them.

    4. Re:patched in secret by Kjella · · Score: 4, Informative

      Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?

      To get the patched version distributed and installed in a majority of your userbase. It doesn't work that well for open source software because you can diff the source, but it does tend to buy a little time for closed source software if hackers are using your own security bulletins to create the exploit. I think even OpenSSH has used the "you should urgently upgrade to the latest version, but we won't tell you why" to the same effect. But, and this is a big BUT, you shouldn't rely on users upgrading just for the hell of it. You need to tell them this contains critical security fixes, upgrade NOW. That doesn't mean you need to tell hackers exactly where the flaw is.

      --
      Live today, because you never know what tomorrow brings
    5. Re:patched in secret by causality · · Score: 4, Interesting

      The solution to that, AC, is to describe the update as both "New Themes!" etc. and "Better Security" so that the "Ohh, Shiny!" crowd who think security does not matter will appreciate the new themes and download the update, while those who are more pragmatic will see that this is, in fact, also a security update and will apply it for that reason. This could only increase the overall acceptance of the patch.

      Given how easily this could have been done, there simply is no justification for the secrecy. The most likely reason why they would have done it is some selfish attempt to save face (Who us? Exploitable? Nah....). While this is slightly better than the Microsoft method of "buy our next version, it'll be fixed in that one", it is definitely less than optimal.

      Security is important -- just ask any victim of identity theft. No matter which browser you use, mistakes will be made, and flaws will be found; this is common to any complex piece of software. Therefore what distinguishes one from the others is the openness of this process, the willingness to admit and redress failures, and the promptness with which this is done. I am quite satisfied with Firefox, but if I were looking for a new browser, this little incident would immediately make me distrust Opera and I would make it a point to look elsewhere.

      --
      It is a miracle that curiosity survives formal education. - Einstein
  2. Not sold as cosmetic by Kelson · · Score: 4, Interesting

    The article claims that:

    Instead, the release seems to have been sold as a cosmetic matter, which may have led a number of users to postpone the update.

    The major focus for promoting 9.10 release, at least in everything I read, was the new fraud protection feature. Even though it was turned off by default. Otherwise it was all about stability.

    On the plus side, Opera did fix these vulnerabilities, and quickly. So it's not like they left people completely unprotected. But considering that the changelog had a security section, you'd think, even if they weren't going to disclose the details just yet, that they'd include a note about "Additional security fixes to be disclosed soon."

    All that said, I occasionally encounter people on the Opera forums who insist on running Opera 8 (or older) because they think it's "more stable." It's an uphill fight to convince them to run Opera 9, even when they complain about some site that doesn't work on the older version. Known security issues didn't get them to upgrade to 9.0, so I wouldn't expect it to convince them to upgrade to 9.10.

  3. Yea, What He Said??? by Slugster · · Score: 4, Insightful

    What's wrong with "security through obscurity" and closed-source code?

    After all, they wouldn't try to make a bad product (or a product that does things you don't like), would they?
    ~

  4. embedded Opera also subject to these two things? by artifex2004 · · Score: 4, Interesting

    I wonder if they tried to hide some of these because there may be devices with embedded Opera that can't be upgraded.

  5. Re:Wii by jpardey · · Score: 4, Funny

    Good point. Also, if your Wii has a camera attached, hackers could watch your camera, and trigger your Wii controller to vibrate at precisely the right time to frighten your dog into leaping into your grandmother, killing her.

    The best way to correct this flaw is to have no grandmothers. I have nothing to worry about.

    --
    I have freaks! I did something right...