Opera Security Patched In Secret

An anonymous reader writes "Opera 9.10 released in December seemed to be a rather cosmetic update. But as heise Security reports, behind the scenes Opera patched two remote code execution holes — neither of them mentioned in the changelog. In addition, Opera rates an exploitable heap overflow as 'moderate' because it is 'not trivial to exploit it reliably'. From the article: 'JPEG images can be specially prepared to cause a buffer overflow on the heap. Even though Opera suggests in the heading to its security notice that this problem only causes the browser to crash, the flaw can nonetheless be exploited to inject and execute code. Security service provider iDefense, which reported the hole to Opera, has confirmed this. The same holds true for a flawed type conversion in the JavaScript support for Scalable Vector Graphics (SVG). Attackers can specially call the function createSVGTransformFromMatrix to have the browser execute code with the user's rights.'"

patched in secret

[dingDaShan]

Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

Yea, What He Said???

[Slugster]

What's wrong with "security through obscurity" and closed-source code?

After all, they wouldn't try to make a bad product (or a product that does things you don't like), would they?
~

Re:

[takeya]

Well I think we know why security through obscurity is a bad idea, but improvements with obscurity doesn't seem like a terrible one.

Re:Yea, What He Said???

[lpq]

Security through obscurity? Does not apply. It would be if the vendor had not fixed the problem and was relying on obscurity of the bug to protect users. Instead they fixed the bug. Sounds like Security Through Fixing It; not as great as Secure By Design though.

Re:

[arodland]

Security Through Fixing It And Not Telling People Why They Should Upgrade is much less effective than Security Through Fixing It.

Re:patched in secret

[(H)elix1]

Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

Good question. If I see an upgrade that adds functionality, I might just skip it. More often than not, the latest greatest just adds stuff I don't care about. If it is a security update, it always gets updated. I would potentially be exposed because I might not care about 'new themes', etc.

Re:patched in secret

[causality]

The solution to that, AC, is to describe the update as both "New Themes!" etc. and "Better Security" so that the "Ohh, Shiny!" crowd who think security does not matter will appreciate the new themes and download the update, while those who are more pragmatic will see that this is, in fact, also a security update and will apply it for that reason. This could only increase the overall acceptance of the patch.

Given how easily this could have been done, there simply is no justification for the secrecy. The most likely reason why they would have done it is some selfish attempt to save face (Who us? Exploitable? Nah....). While this is slightly better than the Microsoft method of "buy our next version, it'll be fixed in that one", it is definitely less than optimal.

Security is important -- just ask any victim of identity theft. No matter which browser you use, mistakes will be made, and flaws will be found; this is common to any complex piece of software. Therefore what distinguishes one from the others is the openness of this process, the willingness to admit and redress failures, and the promptness with which this is done. I am quite satisfied with Firefox, but if I were looking for a new browser, this little incident would immediately make me distrust Opera and I would make it a point to look elsewhere.

Re:

[causality]

First, is it genetically impossible for slashdotters to discuss someting without bringing MS into it? Microsoft has nothing to do with this issue, idiot. Second, WFT are you talking about? Since when has Microsoft charged for fixes to IE, moron?

Relax. As you yourself point out, Microsoft is often mentioned here. Therefore, the Microsoft reference was a well-known, and thus easily-utilized, example. Also, the implied example was along the lines of reasons given for upgrading from Windows 98 to XP, and n

Re:

[Anonymous Coward]

Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

Than if it's good for Opera, is it OK for M$ as well?

Re:patched in secret

[electrosoccertux]

Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?

The least they could do is say "we patched two security holes, but we won't tell you what they are". Doing anything more secret looks immediately suspicious.

Re:patched in secret

[Kelson]

Keep in mind that the article's sources include security bulletins released by Opera. It's not that they didn't disclose them at all, it's that they waited until the fix had been out for ~3 weeks before disclosing them.

Re:patched in secret

[Kjella]

Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?

To get the patched version distributed and installed in a majority of your userbase. It doesn't work that well for open source software because you can diff the source, but it does tend to buy a little time for closed source software if hackers are using your own security bulletins to create the exploit. I think even OpenSSH has used the "you should urgently upgrade to the latest version, but we won't tell you why" to the same effect. But, and this is a big BUT, you shouldn't rely on users upgrading just for the hell of it. You need to tell them this contains critical security fixes, upgrade NOW. That doesn't mean you need to tell hackers exactly where the flaw is.

Re:

[petermgreen]

I think even OpenSSH has used the "you should urgently upgrade to the latest version, but we won't tell you why" to the same effect
and seriously pissed off linux distros that have a policy of backporting security fixes by doing so

Re:

[richlv]

it was already mentioned that this pisses off most if not all distros who backpot patches.
now, some distros, like suse/opensuse also have non-oss repositories that include opera. i wonder what would they do - and such a failure to disclose timely might piss off distros more, as they can not provide security updates in a timely manner.

Re:

[causality]

The least they could do is say "we patched two security holes, but we won't tell you what they are". Doing anything more secret looks immediately suspicious.

Indeed. I also resent Opera's unstated assumption that we're all so stupid we would never notice or care about their secrecy. Put another way, you don't do things like this unless you expect it to go unnoticed. I believe them to be either crazy or stupid or just plain arrogant to fail to consider that it only takes one person out there to notice th

Re:

[Emetophobe]

Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?

You fix things secretly when you want to hide the fact that your product has security holes, obviously to avoid bad press. Of course it can always backfire and then you have a story on slashdot about it.

Re:

[BLAG-blast]

Why is a secret security patch a problem?

On one hand, company's scream, shout and sue if somebody publishes an exploit for one there products. When things are handled/reported they way they want, they try to cover it up... sorry, i think that's bad practice and Opera doesn't deserve a "grace" period between the expoit being reported to them and anonouncing it to the public.

Why broadcast security problems (which only invites people to try to exploit the problems)?

Kind of a "BushCo" approach to sec

Re:

[dingDaShan]

Its not a bad thing to broadcast that software needs to be updated, but it might be harmful to broadcast exactly what the problem is. Also, perhaps Opera just wanted to make sure that the problem was fixed before telling the world about it.

Re:

[maxume]

You do realize that most locks on the market are hopelessly pickable right? Much of the time, good enough is.

Re:patched in secret

[QuietLagoon]

I was not planning to upgrade to Opera 9.10 because I didn't see the need to deal with the update just to get some minor new features.

Now I find out that my web browsing has made my PC vulnerable to exploits because Opera did not inform me of the security fix in the 9.10 version. Had I known about the security fix, I would have updated immediately.

This is not a good situation for Opera. It shows they have a total disregard for the security of my PC. What other security issues are lurking in the Opera browser? Why isn't Opera telling us about them?

Re:

[Emetophobe]

This is not a good situation for Opera. It shows they have a total disregard for the security of my PC. What other security issues are lurking in the Opera browser? Why isn't Opera telling us about them?

I would agree, Opera messed up big. They were trying to avoid bad press, and it backfired, big time. Lying or hiding facts will never win you customer.

Re:

[arodland]

Because the people who are inclined to exploit the hole probably already know about it, while the people who should be upgrading to close the hole aren't even being told so. Is that really so hard?

You deserve to control your computer.

[jbn-o]

It helps illustrate how untrustworthy proprietary software is by default and why you should not promote or run proprietary software. How many other things are proprietors leaving out of their changelogs (assuming they publish them at all)? With free software you don't have to guess because you're given the freedoms you need to do the work yourself or get someone else to help you.

Users deserve software freedom.

Re:

[Sigma 7]

With free software you don't have to guess because you're given the freedoms you need to do the work yourself or get someone else to help you.

Not exactly. Consider this "open source" fragment:

long unsigned int maxwordsize(char *inputFromStdIn)
{
long unsigned int tmpwordsize=0,maxword=1,i;

for (i=0; i

This simple C fragment is designed to perform Fear, Uncertainty, and Doubt: it works fine on one platform, but becomes mysteriously slow on another.

Rathe

Re:

[scdeimos]

It helps illustrate how untrustworthy proprietary software is by default and why you should not promote or run proprietary software. How many other things are proprietors leaving out of their changelogs (assuming they publish them at all)? With free software you don't have to guess because you're given the freedoms you need to do the work yourself or get someone else to help you.

Yes, absolutely, people deserve to have control of their own computer. But you're confusing "free" software (which can still be p

Re:

[jbn-o]

Free software [gnu.org] cannot be proprietary. In fact, it is the free software movement's proponents who argue that proprietary software is unethical and has no place in society. The only time the folks at the FSF install proprietary software is when they're working on a free replacement program. A user's freedoms to run, inspect, share, and modify software are the freedoms all computer users must have. The reason why we need these freedoms are ethical issues which the free software movement identifies and purs

Re:

[petermgreen]

Why is a secret security patch a problem?
firstly many have a policy of not upgrading without a good reason, if they consider a security fix to be a good reason but not any of the other items in the changelog then people may unknowingly remain unpatched.

secondly it smacks of trying to cover up problems and if you get a reputation for trying to cover up problems that will make people in the know very wary of your software (look at IE for example).

Re:

[shaitand]

Because Opera is a commercial product and the reason they hid the flaws is to give users a false impression that their product is more secure than it really is.

Not sold as cosmetic

[Kelson]

The article claims that:

Instead, the release seems to have been sold as a cosmetic matter, which may have led a number of users to postpone the update.

The major focus for promoting 9.10 release, at least in everything I read, was the new fraud protection feature. Even though it was turned off by default. Otherwise it was all about stability.

On the plus side, Opera did fix these vulnerabilities, and quickly. So it's not like they left people completely unprotected. But considering that the changelog had a security section, you'd think, even if they weren't going to disclose the details just yet, that they'd include a note about "Additional security fixes to be disclosed soon."

All that said, I occasionally encounter people on the Opera forums who insist on running Opera 8 (or older) because they think it's "more stable." It's an uphill fight to convince them to run Opera 9, even when they complain about some site that doesn't work on the older version. Known security issues didn't get them to upgrade to 9.0, so I wouldn't expect it to convince them to upgrade to 9.10.

Re:

[Kjella]

All that said, I occasionally encounter people on the Opera forums who insist on running Opera 8 (or older) because they think it's "more stable." It's an uphill fight to convince them to run Opera 9, even when they complain about some site that doesn't work on the older version. Known security issues didn't get them to upgrade to 9.0, so I wouldn't expect it to convince them to upgrade to 9.10.

How about stuff that stopped working in Opera 9? I can no longer download a new security certificate here [skandiabanken.no] in Opera

Re:

[rapidweather]

I have Opera 9.10 in my Rapidweather Remaster of Knoppix Linux, a live cd linux.
In addition, I run the browser inside of a "control script" that allows the user to recover if the browser crashes, this being in addition to the normal Opera setup for that purpose. If one closes the browser, the script asks, using a dialog box, if the user wanted to close the browser, yes or no, and if no, then the ~/.opera directory is retained in /ramdisk, and the user gets a dialog box to restart the browser (later, if desi

Re:

[Anonymous Coward]

If you think perfectness is without holes, you're not dating much.

Re:

[gardyloo]

If you think perfectness is without holes, you're not dating much.

      Topologically, what you're talking about isn't a hole, it's just an invagination. Oh, wait -- you mean *those* holes. OK, then I agree.

Topological anatomy

[cnettel]

Well, as the ovaries are not directly connected to the invagination of yours, the inner of the abdomen is actually exposed. The topology is hence quite different (in a highly theoretical sense no clear definition of inner vs. outer surface). Or, to quote Trek: "For the world is hollow and I've touched..."

Re:

[WilliamSChips]

I haven't dated at all, you insensitive clod, but I know it's not a security hole if you're using condoms.

Re:

[WilliamSChips]

Just because I don't agree with your ridiculous little crusade doesn't make me a twitter-worshipper.

Re:

[kfg]

It can't have holes!

Opera is not responsible for the state of its users.

KFG

Re:

[Spicerun]

"Opera is not responsible for the state of its users." KFG

What a wonderful way of saying 'Opera doesn't care about their users.'

Re:

[WilliamSChips]

Troll? I can see the evil Firefox fanboy army is attacking...

Wii

[neomunk]

I don't know anything about Wii modding (except that some fine work is being done in the wiimote-pc area) but doesn't the Wii use Opera? Is this going to help in cracking any trusted executable protection I assume (maybe incorrectly) they've used to foil pirates/legitimate backup makers?

Re:Wii

[jpardey]

Good point. Also, if your Wii has a camera attached, hackers could watch your camera, and trigger your Wii controller to vibrate at precisely the right time to frighten your dog into leaping into your grandmother, killing her.

The best way to correct this flaw is to have no grandmothers. I have nothing to worry about.

Re:

[Xymor]

Just applied your patch, thanks!
Watching all those episodes of Dexter finnaly paid off.

Re:

[MobyDisk]

...your grandmother, killing her. The best way to correct this flaw is to have no grandmothers. I have nothing to worry about.

Then it sounds like this is the kind of hack that fixes itself then!

Re:

[marcelo.mosca]

If it enables homebrew apps on the wii, this is a niiiice thing. Backups are good, but for me, homebrews are the killer app (nothing like poking arround with code :))

OMG

[phrostie]

i bet Microsoft wouldn't do that.
they would be 100% honest with us

Re:

[account_deleted]

Comment removed based on user account deletion

Targeted attacks

[Anonymous Coward]

I work in corporate security at a household-name dotcom. The big news story from 2006 was the dramatic increase in targeted attacks. These are small runs of unique malware (usually variants of well-known classes such as SDBot, SpyBot etc, tweaked until they get past desktop a/v software, though there's also been a significant reduction in time from bug to malware, and of 0days found in use in the wild - signs of increasing technical sophistication of the malware authors) which are used to attack a small ran

embedded Opera also subject to these two things?

[artifex2004]

I wonder if they tried to hide some of these because there may be devices with embedded Opera that can't be upgraded.

Re:embedded Opera also subject to these two things

[The MAZZTer]

Most exploits tend to target desktop/laptop PCs, so the risk is much less for embedded systems (unless they run a desktop OS).

Updating?

[ms1234]

Would you update a system (production if you will) for cosmetic updates? What about security updates?

Our product is more secure

[UED++]

Because we STFU about security vulnerabilities nobody will exploit them and our users are safe. :)

Why be secretive?

[Rosco P. Coltrane]

The truth is, Opera has such small share of the browser market that it just doesn't matter if the entire world knows about a remote exec hole or not: no cracker or pirate is going to code for such a small fish.

What's more, by not disclosing vulnerabilities and coding being the back of the users, it just makes the development team look like they've acquired their development habbits at Microsoft.

So I'd say Opera loses by hiding this...

Re:

[Pusene]

Youy're right about Opera losing by hiding the information, but you are dead wrong about calling it "small fish". With an installed base of 1.5% this is still several millions of computers you can infect, controll and monitor. Don't forget about the BlackICE ( http://it.slashdot.org/article.pl?sid=04/03/21/00 23254 [slashdot.org]) incident some time ago, no fish are too small on the internet due to the law of large numbers.

Problem isn't exactly fixed yet ...

[Jammet]

You can still crash Opera 9.1 simply by opening this image:

http://img206.imageshack.us/img206/5597/img000211u q0.jpg [imageshack.us]

Perhaps it is even possible to exploit the problem in one way or another. I've sent that info to Operas bug-tracking system about a week ago.

Opera-side discussion for this bug is here:

http://my.opera.com/community/forums/topic.dml?id= 172354&t=1168112391&page=1 [opera.com]

Re:

[Jammet]

It's supposed to crash. Of all the people who tried it you seem to be the first where it actually did not cause a crash. Probably a good sign.

Still, I wonder why the heck this problem has been modded offtopic now. There is nothing that could be done to make it even more ontopic than it already is.

Re:

[VGPowerlord]

Confirmed. That image crashed Opera 9.10 on my Windows XP SP2 system.

Except that I'm not going to post as an AC.

Re:

[Curien]

Confirmed on with Opera 9.10 on Linux as well.

if a tree falls in the forest...

[indigoid]

if a bug is fixed in Opera...

Opera wouldn't be the only product...

[kiwioddBall]

I'm sure nearly every downloadable product patches security flaws in secret. Fixing a bug just isn't worth making a big song and dance about in a large number of cases. Secondly, the slashdot article assumes that it is known how to exploit a software bug. It is is extremely hard to work out all the possible ways to exploit a software bug. It is a lot easier to just fix the issue.

The only reason this article was written is because someone actually disovered a security bug that had been fixed but not reported in Opera. This is absolutely no reason to slam Opera. Just becasue the writer found out about it is no reason at all. You're only hurting Opera because they fix security issues. The same argument could apply to Internet Explorer (spare me any IE flaming please).

Thirdly, Opera is not the most widely used browser. The fact is that any bug in Opera is not likely to be worth the time to exploit. Any exploit would only have a very remote chance of actually taking place. You have to lure someone to view your specially crafted JPG, and secondly they have to be using Opera to do it. Not very likely.

In summary, more FUD on Slashdot.

Re:

[dvice_null]

> I'm sure nearly every downloadable product patches security flaws in secret.

Except open source products, because they really kind hide it. They might not mention it on the change log (while they usually do), but even if they don't, users can see it from the code.

I don't think Opera is fighting that much with IE as it is with Firefox (which we all know, is open source). So this is quite interesting news. Especially if you think that the security hole was known by a security company, so they probably wan

Re:

[Toram]

Neither a lot of money nor a lot of people will give you good code. Good programmers and good QA does. Anyone remember the guy who was out to "publish a security bug a week", only to find Opera 9 was more secure than he had hoped?

dev blogs and such

[XO]

They've certainly made no secret about it in the dev blogs, and other places. I think the problem just lies in a minor disconnect between what the people writing the changelogs as being important, and what the slashdot people see as important.

Opera needs better public changelogs, and could use an improved bug tracking system on the public side, but other than that it's a damn fine browser.

Re:

[richlv]

oh, i know opera people will be reading this thread ;)
please, please give us an open bugzilla. that will benefit you and that will benefit your users - problems will not be reported 10 times, only 2 or 3 ;), they will be reproduced and confirmed by more people and so on.

if you feel that some bugs (like security problems) would be much better handled in a non-public way - hey, most security researchers know how to contact security@whatever.org - and you probably could do what novell are doing - a checkbox in

Sloooow New Day, huh

[Mex]

Web Browser receives patch, news at 11!

Also, what I had for breakfast today, stay tuned for my full report, right after these messages!

Re:

[Emetophobe]

Also, what I had for breakfast today, stay tuned for my full report, right after these messages!

Someones been eating a lot of fiber..

Opera exploit?

[Forkenhoppen]

Hello Wii homebrew..

Open Source

[EvilRyry]

OK, only vaguely related to the article (the whole developement transparency thing) but why doesn't Opera open source?
They're not making any money on the desktop version of the browser anymore AFAIK. They seem to be making all their money on developing ports to embedded devices (PDAs, Cell Phones, etc). They could still continue to do that and continue making money doing so.
I'm sure Opera would quickly become much more popular as a Free product. It is fast, stable, and standards compliant.