Opera Security Patched In Secret 88
An anonymous reader writes "Opera 9.10 released in December seemed to be a rather cosmetic update. But as heise Security reports, behind the scenes Opera patched two remote code execution holes — neither of them mentioned in the changelog. In addition, Opera rates an exploitable heap overflow as 'moderate' because it is 'not trivial to exploit it reliably'. From the article: 'JPEG images can be specially prepared to cause a buffer overflow on the heap. Even though Opera suggests in the heading to its security notice that this problem only causes the browser to crash, the flaw can nonetheless be exploited to inject and execute code. Security service provider iDefense, which reported the hole to Opera, has confirmed this. The same holds true for a flawed type conversion in the JavaScript support for Scalable Vector Graphics (SVG). Attackers can specially call the function createSVGTransformFromMatrix to have the browser execute code with the user's rights.'"
patched in secret (Score:5, Insightful)
Yea, What He Said??? (Score:4, Insightful)
After all, they wouldn't try to make a bad product (or a product that does things you don't like), would they?
~
Re:patched in secret (Score:5, Insightful)
Good question. If I see an upgrade that adds functionality, I might just skip it. More often than not, the latest greatest just adds stuff I don't care about. If it is a security update, it always gets updated. I would potentially be exposed because I might not care about 'new themes', etc.
Re:patched in secret (Score:5, Insightful)
The least they could do is say "we patched two security holes, but we won't tell you what they are". Doing anything more secret looks immediately suspicious.
Why be secretive? (Score:4, Insightful)
What's more, by not disclosing vulnerabilities and coding being the back of the users, it just makes the development team look like they've acquired their development habbits at Microsoft.
So I'd say Opera loses by hiding this...
Opera wouldn't be the only product... (Score:4, Insightful)
The only reason this article was written is because someone actually disovered a security bug that had been fixed but not reported in Opera. This is absolutely no reason to slam Opera. Just becasue the writer found out about it is no reason at all. You're only hurting Opera because they fix security issues. The same argument could apply to Internet Explorer (spare me any IE flaming please).
Thirdly, Opera is not the most widely used browser. The fact is that any bug in Opera is not likely to be worth the time to exploit. Any exploit would only have a very remote chance of actually taking place. You have to lure someone to view your specially crafted JPG, and secondly they have to be using Opera to do it. Not very likely.
In summary, more FUD on Slashdot.
dev blogs and such (Score:3, Insightful)
Opera needs better public changelogs, and could use an improved bug tracking system on the public side, but other than that it's a damn fine browser.
Re:patched in secret (Score:3, Insightful)