Forgot your password?
typodupeerror
Security The Internet

Opera Security Patched In Secret 88

Posted by Zonk
from the on-the-downlow dept.
An anonymous reader writes "Opera 9.10 released in December seemed to be a rather cosmetic update. But as heise Security reports, behind the scenes Opera patched two remote code execution holes — neither of them mentioned in the changelog. In addition, Opera rates an exploitable heap overflow as 'moderate' because it is 'not trivial to exploit it reliably'. From the article: 'JPEG images can be specially prepared to cause a buffer overflow on the heap. Even though Opera suggests in the heading to its security notice that this problem only causes the browser to crash, the flaw can nonetheless be exploited to inject and execute code. Security service provider iDefense, which reported the hole to Opera, has confirmed this. The same holds true for a flawed type conversion in the JavaScript support for Scalable Vector Graphics (SVG). Attackers can specially call the function createSVGTransformFromMatrix to have the browser execute code with the user's rights.'"
This discussion has been archived. No new comments can be posted.

Opera Security Patched In Secret

Comments Filter:
  • patched in secret (Score:5, Insightful)

    by dingDaShan (818817) on Saturday January 06, 2007 @03:43PM (#17490278)
    Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?
    • by Slugster (635830) on Saturday January 06, 2007 @03:48PM (#17490340)
      What's wrong with "security through obscurity" and closed-source code?

      After all, they wouldn't try to make a bad product (or a product that does things you don't like), would they?
      ~
      • by takeya (825259) *
        Well I think we know why security through obscurity is a bad idea, but improvements with obscurity doesn't seem like a terrible one.
      • by lpq (583377) on Sunday January 07, 2007 @12:26AM (#17494554) Homepage Journal
        Security through obscurity? Does not apply. It would be if the vendor had not fixed the problem and was relying on obscurity of the bug to protect users. Instead they fixed the bug. Sounds like Security Through Fixing It; not as great as Secure By Design though.

        • by arodland (127775)
          Security Through Fixing It And Not Telling People Why They Should Upgrade is much less effective than Security Through Fixing It.
    • by (H)elix1 (231155) <slashdot.helix@nOSPaM.gmail.com> on Saturday January 06, 2007 @03:55PM (#17490420) Homepage Journal
      Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

      Good question. If I see an upgrade that adds functionality, I might just skip it. More often than not, the latest greatest just adds stuff I don't care about. If it is a security update, it always gets updated. I would potentially be exposed because I might not care about 'new themes', etc.
    • Re: (Score:1, Interesting)

      by Anonymous Coward
      Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

      Than if it's good for Opera, is it OK for M$ as well?

    • by electrosoccertux (874415) on Saturday January 06, 2007 @04:21PM (#17490690)

      Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?
      Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?

      The least they could do is say "we patched two security holes, but we won't tell you what they are". Doing anything more secret looks immediately suspicious.
      • Re:patched in secret (Score:5, Informative)

        by Kelson (129150) * on Saturday January 06, 2007 @04:34PM (#17490830) Homepage Journal
        Keep in mind that the article's sources include security bulletins released by Opera. It's not that they didn't disclose them at all, it's that they waited until the fix had been out for ~3 weeks before disclosing them.
      • Re:patched in secret (Score:5, Informative)

        by Kjella (173770) on Saturday January 06, 2007 @04:52PM (#17490982) Homepage
        Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?

        To get the patched version distributed and installed in a majority of your userbase. It doesn't work that well for open source software because you can diff the source, but it does tend to buy a little time for closed source software if hackers are using your own security bulletins to create the exploit. I think even OpenSSH has used the "you should urgently upgrade to the latest version, but we won't tell you why" to the same effect. But, and this is a big BUT, you shouldn't rely on users upgrading just for the hell of it. You need to tell them this contains critical security fixes, upgrade NOW. That doesn't mean you need to tell hackers exactly where the flaw is.
        • I think even OpenSSH has used the "you should urgently upgrade to the latest version, but we won't tell you why" to the same effect
          and seriously pissed off linux distros that have a policy of backporting security fixes by doing so
        • by richlv (778496)
          it was already mentioned that this pisses off most if not all distros who backpot patches.
          now, some distros, like suse/opensuse also have non-oss repositories that include opera. i wonder what would they do - and such a failure to disclose timely might piss off distros more, as they can not provide security updates in a timely manner.
      • by causality (777677)

        The least they could do is say "we patched two security holes, but we won't tell you what they are". Doing anything more secret looks immediately suspicious.

        Indeed. I also resent Opera's unstated assumption that we're all so stupid we would never notice or care about their secrecy. Put another way, you don't do things like this unless you expect it to go unnoticed. I believe them to be either crazy or stupid or just plain arrogant to fail to consider that it only takes one person out there to notice th

      • Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?
        You fix things secretly when you want to hide the fact that your product has security holes, obviously to avoid bad press. Of course it can always backfire and then you have a story on slashdot about it.
    • Why is a secret security patch a problem?

      On one hand, company's scream, shout and sue if somebody publishes an exploit for one there products. When things are handled/reported they way they want, they try to cover it up... sorry, i think that's bad practice and Opera doesn't deserve a "grace" period between the expoit being reported to them and anonouncing it to the public.

      Why broadcast security problems (which only invites people to try to exploit the problems)?

      Kind of a "BushCo" approach to sec

      • Its not a bad thing to broadcast that software needs to be updated, but it might be harmful to broadcast exactly what the problem is. Also, perhaps Opera just wanted to make sure that the problem was fixed before telling the world about it.
      • by maxume (22995)
        You do realize that most locks on the market are hopelessly pickable right? Much of the time, good enough is.
    • Re:patched in secret (Score:4, Interesting)

      by QuietLagoon (813062) on Saturday January 06, 2007 @05:45PM (#17491416)
      I was not planning to upgrade to Opera 9.10 because I didn't see the need to deal with the update just to get some minor new features.

      Now I find out that my web browsing has made my PC vulnerable to exploits because Opera did not inform me of the security fix in the 9.10 version. Had I known about the security fix, I would have updated immediately.

      This is not a good situation for Opera. It shows they have a total disregard for the security of my PC. What other security issues are lurking in the Opera browser? Why isn't Opera telling us about them?

      • This is not a good situation for Opera. It shows they have a total disregard for the security of my PC. What other security issues are lurking in the Opera browser? Why isn't Opera telling us about them?
        I would agree, Opera messed up big. They were trying to avoid bad press, and it backfired, big time. Lying or hiding facts will never win you customer.
    • by arodland (127775)
      Because the people who are inclined to exploit the hole probably already know about it, while the people who should be upgrading to close the hole aren't even being told so. Is that really so hard?
    • by jbn-o (555068) <mail@digitalcitizen.info> on Saturday January 06, 2007 @08:20PM (#17492766) Homepage
      It helps illustrate how untrustworthy proprietary software is by default and why you should not promote or run proprietary software. How many other things are proprietors leaving out of their changelogs (assuming they publish them at all)? With free software you don't have to guess because you're given the freedoms you need to do the work yourself or get someone else to help you.

      Users deserve software freedom.
      • by Sigma 7 (266129)

        With free software you don't have to guess because you're given the freedoms you need to do the work yourself or get someone else to help you.

        Not exactly. Consider this "open source" fragment:

        long unsigned int maxwordsize(char *inputFromStdIn)
        {
        long unsigned int tmpwordsize=0,maxword=1,i;

        for (i=0; i

        This simple C fragment is designed to perform Fear, Uncertainty, and Doubt: it works fine on one platform, but becomes mysteriously slow on another.

        Rathe

      • by scdeimos (632778)

        It helps illustrate how untrustworthy proprietary software is by default and why you should not promote or run proprietary software. How many other things are proprietors leaving out of their changelogs (assuming they publish them at all)? With free software you don't have to guess because you're given the freedoms you need to do the work yourself or get someone else to help you.

        Yes, absolutely, people deserve to have control of their own computer. But you're confusing "free" software (which can still be p

        • Re: (Score:3, Informative)

          by jbn-o (555068)

          Free software [gnu.org] cannot be proprietary. In fact, it is the free software movement's proponents who argue that proprietary software is unethical and has no place in society. The only time the folks at the FSF install proprietary software is when they're working on a free replacement program. A user's freedoms to run, inspect, share, and modify software are the freedoms all computer users must have. The reason why we need these freedoms are ethical issues which the free software movement identifies and purs

    • Why is a secret security patch a problem?
      firstly many have a policy of not upgrading without a good reason, if they consider a security fix to be a good reason but not any of the other items in the changelog then people may unknowingly remain unpatched.

      secondly it smacks of trying to cover up problems and if you get a reputation for trying to cover up problems that will make people in the know very wary of your software (look at IE for example).
    • by shaitand (626655)
      Because Opera is a commercial product and the reason they hid the flaws is to give users a false impression that their product is more secure than it really is.
  • Not sold as cosmetic (Score:5, Interesting)

    by Kelson (129150) * on Saturday January 06, 2007 @03:44PM (#17490282) Homepage Journal

    The article claims that:

    Instead, the release seems to have been sold as a cosmetic matter, which may have led a number of users to postpone the update.

    The major focus for promoting 9.10 release, at least in everything I read, was the new fraud protection feature. Even though it was turned off by default. Otherwise it was all about stability.

    On the plus side, Opera did fix these vulnerabilities, and quickly. So it's not like they left people completely unprotected. But considering that the changelog had a security section, you'd think, even if they weren't going to disclose the details just yet, that they'd include a note about "Additional security fixes to be disclosed soon."

    All that said, I occasionally encounter people on the Opera forums who insist on running Opera 8 (or older) because they think it's "more stable." It's an uphill fight to convince them to run Opera 9, even when they complain about some site that doesn't work on the older version. Known security issues didn't get them to upgrade to 9.0, so I wouldn't expect it to convince them to upgrade to 9.10.

    • by Kjella (173770)
      All that said, I occasionally encounter people on the Opera forums who insist on running Opera 8 (or older) because they think it's "more stable." It's an uphill fight to convince them to run Opera 9, even when they complain about some site that doesn't work on the older version. Known security issues didn't get them to upgrade to 9.0, so I wouldn't expect it to convince them to upgrade to 9.10.

      How about stuff that stopped working in Opera 9? I can no longer download a new security certificate here [skandiabanken.no] in Opera
    • Re: (Score:1, Offtopic)

      by rapidweather (567364)
      I have Opera 9.10 in my Rapidweather Remaster of Knoppix Linux, a live cd linux.
      In addition, I run the browser inside of a "control script" that allows the user to recover if the browser crashes, this being in addition to the normal Opera setup for that purpose. If one closes the browser, the script asks, using a dialog box, if the user wanted to close the browser, yes or no, and if no, then the ~/.opera directory is retained in /ramdisk, and the user gets a dialog box to restart the browser (later, if desi
  • Wii (Score:3, Interesting)

    by neomunk (913773) on Saturday January 06, 2007 @03:49PM (#17490354)
    I don't know anything about Wii modding (except that some fine work is being done in the wiimote-pc area) but doesn't the Wii use Opera? Is this going to help in cracking any trusted executable protection I assume (maybe incorrectly) they've used to foil pirates/legitimate backup makers?
    • Re:Wii (Score:5, Funny)

      by jpardey (569633) <j_pardey.hotmail@com> on Saturday January 06, 2007 @04:25PM (#17490732)
      Good point. Also, if your Wii has a camera attached, hackers could watch your camera, and trigger your Wii controller to vibrate at precisely the right time to frighten your dog into leaping into your grandmother, killing her.

      The best way to correct this flaw is to have no grandmothers. I have nothing to worry about.
      • by Xymor (943922)
        Just applied your patch, thanks!
        Watching all those episodes of Dexter finnaly paid off.
      • by MobyDisk (75490)

        ...your grandmother, killing her. The best way to correct this flaw is to have no grandmothers. I have nothing to worry about.
        Then it sounds like this is the kind of hack that fixes itself then!
    • If it enables homebrew apps on the wii, this is a niiiice thing. Backups are good, but for me, homebrews are the killer app (nothing like poking arround with code :))
  • OMG (Score:2, Funny)

    by phrostie (121428)
    i bet Microsoft wouldn't do that.
    they would be 100% honest with us
    • by Ash-Fox (726320)

      i bet Microsoft wouldn't do that.
      they would be 100% honest with us

      This is how Microsoft would probably report it:

      A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles Joint Photographic Experts Group (JPG and JPEG) images. An attacker could exploit the vulnerability by constructing a specially crafted JPG image that could potentially allow remote code execution if a user visited a malicious Web site or opened a specially crafted attachment in e-mail

  • Targeted attacks (Score:1, Informative)

    by Anonymous Coward
    I work in corporate security at a household-name dotcom. The big news story from 2006 was the dramatic increase in targeted attacks. These are small runs of unique malware (usually variants of well-known classes such as SDBot, SpyBot etc, tweaked until they get past desktop a/v software, though there's also been a significant reduction in time from bug to malware, and of 0days found in use in the wild - signs of increasing technical sophistication of the malware authors) which are used to attack a small ran
  • by artifex2004 (766107) on Saturday January 06, 2007 @04:10PM (#17490568) Journal
    I wonder if they tried to hide some of these because there may be devices with embedded Opera that can't be upgraded.

  • Would you update a system (production if you will) for cosmetic updates? What about security updates?
  • Because we STFU about security vulnerabilities nobody will exploit them and our users are safe. :)
  • Why be secretive? (Score:4, Insightful)

    by Rosco P. Coltrane (209368) on Saturday January 06, 2007 @05:05PM (#17491050)
    The truth is, Opera has such small share of the browser market that it just doesn't matter if the entire world knows about a remote exec hole or not: no cracker or pirate is going to code for such a small fish.

    What's more, by not disclosing vulnerabilities and coding being the back of the users, it just makes the development team look like they've acquired their development habbits at Microsoft.

    So I'd say Opera loses by hiding this...
    • by Pusene (744969)
      Youy're right about Opera losing by hiding the information, but you are dead wrong about calling it "small fish". With an installed base of 1.5% this is still several millions of computers you can infect, controll and monitor. Don't forget about the BlackICE ( http://it.slashdot.org/article.pl?sid=04/03/21/00 23254 [slashdot.org]) incident some time ago, no fish are too small on the internet due to the law of large numbers.
  • You can still crash Opera 9.1 simply by opening this image:

    http://img206.imageshack.us/img206/5597/img000211u q0.jpg [imageshack.us]

    Perhaps it is even possible to exploit the problem in one way or another. I've sent that info to Operas bug-tracking system about a week ago.

    Opera-side discussion for this bug is here:

    http://my.opera.com/community/forums/topic.dml?id= 172354&t=1168112391&page=1 [opera.com]
    • Confirmed. That image crashed Opera 9.10 on my Windows XP SP2 system.

      Except that I'm not going to post as an AC.
    • by Curien (267780)
      Confirmed on with Opera 9.10 on Linux as well.
  • if a bug is fixed in Opera...
  • by kiwioddBall (646813) on Saturday January 06, 2007 @05:56PM (#17491490) Homepage
    I'm sure nearly every downloadable product patches security flaws in secret. Fixing a bug just isn't worth making a big song and dance about in a large number of cases. Secondly, the slashdot article assumes that it is known how to exploit a software bug. It is is extremely hard to work out all the possible ways to exploit a software bug. It is a lot easier to just fix the issue.

    The only reason this article was written is because someone actually disovered a security bug that had been fixed but not reported in Opera. This is absolutely no reason to slam Opera. Just becasue the writer found out about it is no reason at all. You're only hurting Opera because they fix security issues. The same argument could apply to Internet Explorer (spare me any IE flaming please).

    Thirdly, Opera is not the most widely used browser. The fact is that any bug in Opera is not likely to be worth the time to exploit. Any exploit would only have a very remote chance of actually taking place. You have to lure someone to view your specially crafted JPG, and secondly they have to be using Opera to do it. Not very likely.

    In summary, more FUD on Slashdot.
    • > I'm sure nearly every downloadable product patches security flaws in secret.

      Except open source products, because they really kind hide it. They might not mention it on the change log (while they usually do), but even if they don't, users can see it from the code.

      I don't think Opera is fighting that much with IE as it is with Firefox (which we all know, is open source). So this is quite interesting news. Especially if you think that the security hole was known by a security company, so they probably wan
      • by Toram (1041694)
        Neither a lot of money nor a lot of people will give you good code. Good programmers and good QA does. Anyone remember the guy who was out to "publish a security bug a week", only to find Opera 9 was more secure than he had hoped?
  • dev blogs and such (Score:3, Insightful)

    by XO (250276) <blade@eric.gmail@com> on Saturday January 06, 2007 @06:12PM (#17491642) Homepage Journal
    They've certainly made no secret about it in the dev blogs, and other places. I think the problem just lies in a minor disconnect between what the people writing the changelogs as being important, and what the slashdot people see as important.

    Opera needs better public changelogs, and could use an improved bug tracking system on the public side, but other than that it's a damn fine browser.
    • Re: (Score:3, Informative)

      by richlv (778496)
      oh, i know opera people will be reading this thread ;)
      please, please give us an open bugzilla. that will benefit you and that will benefit your users - problems will not be reported 10 times, only 2 or 3 ;), they will be reproduced and confirmed by more people and so on.

      if you feel that some bugs (like security problems) would be much better handled in a non-public way - hey, most security researchers know how to contact security@whatever.org - and you probably could do what novell are doing - a checkbox in
  • Web Browser receives patch, news at 11!

    Also, what I had for breakfast today, stay tuned for my full report, right after these messages!
    • Also, what I had for breakfast today, stay tuned for my full report, right after these messages!
      Someones been eating a lot of fiber..
  • Hello Wii homebrew..
  • OK, only vaguely related to the article (the whole developement transparency thing) but why doesn't Opera open source?
    They're not making any money on the desktop version of the browser anymore AFAIK. They seem to be making all their money on developing ports to embedded devices (PDAs, Cell Phones, etc). They could still continue to do that and continue making money doing so.
    I'm sure Opera would quickly become much more popular as a Free product. It is fast, stable, and standards compliant.

"The Street finds its own uses for technology." -- William Gibson

Working...