×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Opera Security Patched In Secret

Zonk posted more than 7 years ago | from the on-the-downlow dept.

Security 88

An anonymous reader writes "Opera 9.10 released in December seemed to be a rather cosmetic update. But as heise Security reports, behind the scenes Opera patched two remote code execution holes — neither of them mentioned in the changelog. In addition, Opera rates an exploitable heap overflow as 'moderate' because it is 'not trivial to exploit it reliably'. From the article: 'JPEG images can be specially prepared to cause a buffer overflow on the heap. Even though Opera suggests in the heading to its security notice that this problem only causes the browser to crash, the flaw can nonetheless be exploited to inject and execute code. Security service provider iDefense, which reported the hole to Opera, has confirmed this. The same holds true for a flawed type conversion in the JavaScript support for Scalable Vector Graphics (SVG). Attackers can specially call the function createSVGTransformFromMatrix to have the browser execute code with the user's rights.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

88 comments

patched in secret (5, Insightful)

dingDaShan (818817) | more than 7 years ago | (#17490278)

Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

Yea, What He Said??? (4, Insightful)

Slugster (635830) | more than 7 years ago | (#17490340)

What's wrong with "security through obscurity" and closed-source code?

After all, they wouldn't try to make a bad product (or a product that does things you don't like), would they?
~

Re:Yea, What He Said??? (1)

takeya (825259) | more than 7 years ago | (#17494534)

Well I think we know why security through obscurity is a bad idea, but improvements with obscurity doesn't seem like a terrible one.

Re:Yea, What He Said??? (3, Funny)

lpq (583377) | more than 7 years ago | (#17494554)

Security through obscurity? Does not apply. It would be if the vendor had not fixed the problem and was relying on obscurity of the bug to protect users. Instead they fixed the bug. Sounds like Security Through Fixing It; not as great as Secure By Design though.

Re:Yea, What He Said??? (0)

Anonymous Coward | more than 7 years ago | (#17495748)

None browser is "Secure By Design".

Re:Yea, What He Said??? (1)

arodland (127775) | more than 7 years ago | (#17496390)

Security Through Fixing It And Not Telling People Why They Should Upgrade is much less effective than Security Through Fixing It.

Re:patched in secret (5, Insightful)

(H)elix1 (231155) | more than 7 years ago | (#17490420)

Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

Good question. If I see an upgrade that adds functionality, I might just skip it. More often than not, the latest greatest just adds stuff I don't care about. If it is a security update, it always gets updated. I would potentially be exposed because I might not care about 'new themes', etc.

Re:patched in secret (0)

Anonymous Coward | more than 7 years ago | (#17490916)

However, most people are more interested in downloading new themes than in security patches. Overall, keeping it a secret was probably a good idea.

Re:patched in secret (4, Interesting)

causality (777677) | more than 7 years ago | (#17491302)

The solution to that, AC, is to describe the update as both "New Themes!" etc. and "Better Security" so that the "Ohh, Shiny!" crowd who think security does not matter will appreciate the new themes and download the update, while those who are more pragmatic will see that this is, in fact, also a security update and will apply it for that reason. This could only increase the overall acceptance of the patch.

Given how easily this could have been done, there simply is no justification for the secrecy. The most likely reason why they would have done it is some selfish attempt to save face (Who us? Exploitable? Nah....). While this is slightly better than the Microsoft method of "buy our next version, it'll be fixed in that one", it is definitely less than optimal.

Security is important -- just ask any victim of identity theft. No matter which browser you use, mistakes will be made, and flaws will be found; this is common to any complex piece of software. Therefore what distinguishes one from the others is the openness of this process, the willingness to admit and redress failures, and the promptness with which this is done. I am quite satisfied with Firefox, but if I were looking for a new browser, this little incident would immediately make me distrust Opera and I would make it a point to look elsewhere.

Re:patched in secret (0)

Anonymous Coward | more than 7 years ago | (#17491662)

The solution to that, AC, is to describe the update as both "New Themes!" etc. and "Better Security" so that the "Ohh, Shiny!" crowd who think security does not matter will appreciate the new themes and download the update, while those who are more pragmatic will see that this is, in fact, also a security update and will apply it for that reason. This could only increase the overall acceptance of the patch.

No. Patches should be simple, clearly labeled, and be as discrete as needed by the added functionality and/or security. Anything else is the #2 reason patches are not automatically accepted. The #1 reason being, just - you know - "because".

Security is important -- just ask any victim of identity theft.

Honesty is more important -- just ask any victim of identity theft.

Re:patched in secret (-1)

Anonymous Coward | more than 7 years ago | (#17492038)

"While this is slightly better than the Microsoft method of "buy our next version, it'll be fixed in that one", it is definitely less than optimal. "

First, is it genetically impossible for slashdotters to discuss someting without bringing MS into it? Microsoft has nothing to do with this issue, idiot.
Second, WFT are you talking about? Since when has Microsoft charged for fixes to IE, moron?

Re:patched in secret (2, Insightful)

causality (777677) | more than 7 years ago | (#17493806)

First, is it genetically impossible for slashdotters to discuss someting without bringing MS into it? Microsoft has nothing to do with this issue, idiot. Second, WFT are you talking about? Since when has Microsoft charged for fixes to IE, moron?
Relax. As you yourself point out, Microsoft is often mentioned here. Therefore, the Microsoft reference was a well-known, and thus easily-utilized, example. Also, the implied example was along the lines of reasons given for upgrading from Windows 98 to XP, and now from XP to Vista, all of which do cost money. That Microsoft also fixes other software without charge does not invalidate this example, since no claim was made that Microsoft never uses any other tactic. However, if you have some kind of ultra-sensitivity, I suppose you could invent such a claim in your own perception, but in that case why call me the idiot?

Re:patched in secret (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17490454)

Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?

Than if it's good for Opera, is it OK for M$ as well?

Re:patched in secret (4, Insightful)

electrosoccertux (874415) | more than 7 years ago | (#17490690)

Why is a secret security patch a problem? Why broadcast security problems(which only invites people to try to exploit the problems)?
Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?

The least they could do is say "we patched two security holes, but we won't tell you what they are". Doing anything more secret looks immediately suspicious.

Re:patched in secret (4, Informative)

Kelson (129150) | more than 7 years ago | (#17490830)

Keep in mind that the article's sources include security bulletins released by Opera. It's not that they didn't disclose them at all, it's that they waited until the fix had been out for ~3 weeks before disclosing them.

Re:patched in secret (4, Informative)

Kjella (173770) | more than 7 years ago | (#17490982)

Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?

To get the patched version distributed and installed in a majority of your userbase. It doesn't work that well for open source software because you can diff the source, but it does tend to buy a little time for closed source software if hackers are using your own security bulletins to create the exploit. I think even OpenSSH has used the "you should urgently upgrade to the latest version, but we won't tell you why" to the same effect. But, and this is a big BUT, you shouldn't rely on users upgrading just for the hell of it. You need to tell them this contains critical security fixes, upgrade NOW. That doesn't mean you need to tell hackers exactly where the flaw is.

Re:patched in secret (1)

petermgreen (876956) | more than 7 years ago | (#17493384)

I think even OpenSSH has used the "you should urgently upgrade to the latest version, but we won't tell you why" to the same effect
and seriously pissed off linux distros that have a policy of backporting security fixes by doing so

Re:patched in secret (1)

richlv (778496) | more than 7 years ago | (#17497936)

it was already mentioned that this pisses off most if not all distros who backpot patches.
now, some distros, like suse/opensuse also have non-oss repositories that include opera. i wonder what would they do - and such a failure to disclose timely might piss off distros more, as they can not provide security updates in a timely manner.

Re:patched in secret (1)

causality (777677) | more than 7 years ago | (#17491350)

The least they could do is say "we patched two security holes, but we won't tell you what they are". Doing anything more secret looks immediately suspicious.

Indeed. I also resent Opera's unstated assumption that we're all so stupid we would never notice or care about their secrecy. Put another way, you don't do things like this unless you expect it to go unnoticed. I believe them to be either crazy or stupid or just plain arrogant to fail to consider that it only takes one person out there to notice this and point it out to cause many people to question the merits of trusting them.

Re:patched in secret (1)

Emetophobe (878584) | more than 7 years ago | (#17498652)

Why does a security patch need to be kept secret? Why hide security problems (which have been patched)?
You fix things secretly when you want to hide the fact that your product has security holes, obviously to avoid bad press. Of course it can always backfire and then you have a story on slashdot about it.

Re:patched in secret (0)

Anonymous Coward | more than 7 years ago | (#17491006)

errr...

a) because the people who reported it will be able to verify that it's really fixed and

b) because it means that many people can have it before it becomes public knowlege getting rid of the zero day vulnerability..

Which really messes up the cracker's ability to build attacks based on the vulnerability release. Eeing serious though, if you did this with internet exploder, so many people reverse engineer each patch that it would definitely be noticed. That would be much worse than if you just admit the problem straight out. Opera is probably just under the radar and so it's a net security benefit. As with most security it's all about trade offs and "real world" stuff.

Re:patched in secret (1)

BLAG-blast (302533) | more than 7 years ago | (#17491186)

Why is a secret security patch a problem?

On one hand, company's scream, shout and sue if somebody publishes an exploit for one there products. When things are handled/reported they way they want, they try to cover it up... sorry, i think that's bad practice and Opera doesn't deserve a "grace" period between the expoit being reported to them and anonouncing it to the public.

Why broadcast security problems (which only invites people to try to exploit the problems)?

Kind of a "BushCo" approach to security, no? Don't tell anybody anything? That's not security. People NEED to be informed so they can protect themselves. And it doesn't "only invites people to try to exploit", it invites people to fix the exploit on their computer. That's my computer and my data that Opera is exposing to risk of compromise - hidding it from me is just dirty practice.

Imagine if a door lock maker tried the same thing? Secretly fixing a security floor then making the lock shinny or gold or something in the hopes you'll upgrade.

Well, I'm quite happy to remove Opera from my system now.

-B-b-

Re:patched in secret (1)

dingDaShan (818817) | more than 7 years ago | (#17491638)

Its not a bad thing to broadcast that software needs to be updated, but it might be harmful to broadcast exactly what the problem is. Also, perhaps Opera just wanted to make sure that the problem was fixed before telling the world about it.

Re:patched in secret (1)

maxume (22995) | more than 7 years ago | (#17491884)

You do realize that most locks on the market are hopelessly pickable right? Much of the time, good enough is.

Re:patched in secret (3, Interesting)

QuietLagoon (813062) | more than 7 years ago | (#17491416)

I was not planning to upgrade to Opera 9.10 because I didn't see the need to deal with the update just to get some minor new features.

Now I find out that my web browsing has made my PC vulnerable to exploits because Opera did not inform me of the security fix in the 9.10 version. Had I known about the security fix, I would have updated immediately.

This is not a good situation for Opera. It shows they have a total disregard for the security of my PC. What other security issues are lurking in the Opera browser? Why isn't Opera telling us about them?

Re:patched in secret (0)

zonker (1158) | more than 7 years ago | (#17494056)

Yes, obviously Opera hates you and wants your computer to die a thousand deaths. //yawn//

Re:patched in secret (1)

Emetophobe (878584) | more than 7 years ago | (#17498714)

This is not a good situation for Opera. It shows they have a total disregard for the security of my PC. What other security issues are lurking in the Opera browser? Why isn't Opera telling us about them?
I would agree, Opera messed up big. They were trying to avoid bad press, and it backfired, big time. Lying or hiding facts will never win you customer.

Re:patched in secret (1)

arodland (127775) | more than 7 years ago | (#17491430)

Because the people who are inclined to exploit the hole probably already know about it, while the people who should be upgrading to close the hole aren't even being told so. Is that really so hard?

You deserve to control your computer. (3, Funny)

jbn-o (555068) | more than 7 years ago | (#17492766)

It helps illustrate how untrustworthy proprietary software is by default and why you should not promote or run proprietary software. How many other things are proprietors leaving out of their changelogs (assuming they publish them at all)? With free software you don't have to guess because you're given the freedoms you need to do the work yourself or get someone else to help you.

Users deserve software freedom.

Re:You deserve to control your computer. (1)

Sigma 7 (266129) | more than 7 years ago | (#17493418)

With free software you don't have to guess because you're given the freedoms you need to do the work yourself or get someone else to help you.


Not exactly. Consider this "open source" fragment:

long unsigned int maxwordsize(char *inputFromStdIn)
{
        long unsigned int tmpwordsize=0,maxword=1,i;

        for (i=0; i

This simple C fragment is designed to perform Fear, Uncertainty, and Doubt: it works fine on one platform, but becomes mysteriously slow on another.

Rather than leave the exercise up to the reader, I'll mention that this fragment was taken from the Underhanded C Contest [brainhz.com]. While the coding examples in that contest perform no real damage, an experienced coder could easily sneak in a root exploit into an open source project - in the same way that one person attempted to sneak a root exploit into the wait4() function call of the Linux Kernel.

Re:You deserve to control your computer. (1)

scdeimos (632778) | more than 7 years ago | (#17494024)

It helps illustrate how untrustworthy proprietary software is by default and why you should not promote or run proprietary software. How many other things are proprietors leaving out of their changelogs (assuming they publish them at all)? With free software you don't have to guess because you're given the freedoms you need to do the work yourself or get someone else to help you.

Yes, absolutely, people deserve to have control of their own computer. But you're confusing "free" software (which can still be proprietary) with "open source" software!

Don't try to kid yourself or anyone else here that the majority of people using FOSS have the gnouse to grok the source code that makes it up. By far the majority of FOSS users are non-technical people looking for a cheap solution and never even glance at the source - they trust other people to check it over and (be *honest enough*) to report and/or fix the problems. People going over the source is usually limited to the core development team and a few people actually considering contributing features or fixes.

Re:You deserve to control your computer. (2, Informative)

jbn-o (555068) | more than 7 years ago | (#17495604)

Free software [gnu.org] cannot be proprietary. In fact, it is the free software movement's proponents who argue that proprietary software is unethical and has no place in society. The only time the folks at the FSF install proprietary software is when they're working on a free replacement program. A user's freedoms to run, inspect, share, and modify software are the freedoms all computer users must have. The reason why we need these freedoms are ethical issues which the free software movement identifies and pursues as such, raising issues of social solidarity to make their point.

By contrast, the open source movement argues for an increase in developmental efficiency and never discusses social solidarity. This technocratic message not only carries no weight with most computer users (who aren't developers), it stresses the quality of the programming over what users are allowed to do with a copy of the program once they get it. This is why a few OSI-approved licenses are considered non-free (such as the v1.x revisions of the Apple Public Source License)—the criteria for acceptance comes from the movements' different philosophies. This is also why open source proponents sometimes side with proprietors—running proprietary video drivers instead of switching to other hardware or simply doing without the fancy 3D graphics; setting up repositories where users can more easily acquire copies of proprietary software (like the Ubuntu GNU/Linux repo which carries Opera, among other proprietary programs). Some open source movement proponents even drop the pursuit of technical superiority when faced with an argument of popularity, which is why some endorse the use of the patent-encumbered MP3 lossy audio codec when Ogg Vorbis is not only technically superior (as demonstrated in numerous blind listening tests) but has objectively better tagging. Open source proponents have no means to argue against technically superior programs even when the license for those programs hold users separate and helpless to control their own computers.

Years ago, Richard Stallman wrote about the difference between the two movements [gnu.org]. More recently, he addressed this difference [fsfeurope.org] when he spoke at the fifth international GPLv3 conference in Tokyo in 2006. One interesting consequence of the differences is what you have to start with if you want the social solidarity the free software movement champions as well as powerful reliable software.

So if I am offered a choice between a proprietary program which is powerful and reliable and a free program which is not, I choose the free program because that I can do in freedom. I'd rather make some practical sacrifices to reject oppression.

But suppose you want both? Suppose you want freedom and solidarity, and you want powerful reliable software? How can you get it? You can't get that starting with the powerful, reliable, proprietary program because there is no way you can liberate that program. The only way you can get that, your ideal goal, is to start from the free program, technically inadequate as it may be, because you do have the option of improving it. That is the only path that can possibly ever get you to your ideal situation. Insist on freedom and make the program better.

Finally, it's important to not conflate the difference between freedom and skill. Freedom has to do with permission. I have the freedom to criticize my government even though I can't write as well as the man whose pen name was William Shakespeare. I could choose to spend more time reading and learning to write better, as he did. My lack of skill does not in any way justify denying me my freedom of speech. So how well I can do this task, how well others I trust can do it, doesn't enter into the situation.

Why is parent modded "funny"? (0)

Anonymous Coward | more than 7 years ago | (#17498254)

Parent should be modded "insightful" not "funny". This site has been on a straight line down hill slope for the last couple of years and this is just one more example of it. I might as well start reading zdnet again.

Re:patched in secret (1)

petermgreen (876956) | more than 7 years ago | (#17493228)

Why is a secret security patch a problem?
firstly many have a policy of not upgrading without a good reason, if they consider a security fix to be a good reason but not any of the other items in the changelog then people may unknowingly remain unpatched.

secondly it smacks of trying to cover up problems and if you get a reputation for trying to cover up problems that will make people in the know very wary of your software (look at IE for example).

Re:patched in secret (1)

shaitand (626655) | more than 7 years ago | (#17495022)

Because Opera is a commercial product and the reason they hid the flaws is to give users a false impression that their product is more secure than it really is.

Not sold as cosmetic (4, Interesting)

Kelson (129150) | more than 7 years ago | (#17490282)

The article claims that:

Instead, the release seems to have been sold as a cosmetic matter, which may have led a number of users to postpone the update.

The major focus for promoting 9.10 release, at least in everything I read, was the new fraud protection feature. Even though it was turned off by default. Otherwise it was all about stability.

On the plus side, Opera did fix these vulnerabilities, and quickly. So it's not like they left people completely unprotected. But considering that the changelog had a security section, you'd think, even if they weren't going to disclose the details just yet, that they'd include a note about "Additional security fixes to be disclosed soon."

All that said, I occasionally encounter people on the Opera forums who insist on running Opera 8 (or older) because they think it's "more stable." It's an uphill fight to convince them to run Opera 9, even when they complain about some site that doesn't work on the older version. Known security issues didn't get them to upgrade to 9.0, so I wouldn't expect it to convince them to upgrade to 9.10.

Re:Not sold as cosmetic (0)

Anonymous Coward | more than 7 years ago | (#17490500)

Well, I'm using 8.5; I tried 9.0 and it had some problems like rss feeds not working right. I'll wait until 9.5.

Re:Not sold as cosmetic (0)

Anonymous Coward | more than 7 years ago | (#17492066)

>All that said, I occasionally encounter people on the Opera forums who insist on running Opera 8 (or older) because they think it's "more stable."

And some people who still run Opera *6* because exporting mail to Thunderbird is not trivial. Once you do modify all your mailboxes manually, you lose having great browser intergration and a modern mail client. (Thud works [thank you Open Source people!], but it's clunky. Rather like going back to Netscape 4 for a browser.)

M2 may have been a good idea for moving ahead with general users (especially phone users), but the sudden loss of the original mail client caused a lot of heavy users to mistrust Opera 'upgrades'. That will remain a factor for a while.

And yes, 9.x *is* less stable than 8.x. Far too often I'm looking at a frozen screen with "applet loading" on it. We've returned to the bad-old-days of Opera 6 and before. There's no way that should still be happening -- we've had three updates since 9.00.

And (sigh) this JPG issue is NOT fixed. See post below.
http://it.slashdot.org/comments.pl?sid=215438&cid= 17491176 [slashdot.org]

Re:Not sold as cosmetic (1)

Kjella (173770) | more than 7 years ago | (#17493358)

All that said, I occasionally encounter people on the Opera forums who insist on running Opera 8 (or older) because they think it's "more stable." It's an uphill fight to convince them to run Opera 9, even when they complain about some site that doesn't work on the older version. Known security issues didn't get them to upgrade to 9.0, so I wouldn't expect it to convince them to upgrade to 9.10.

How about stuff that stopped working in Opera 9? I can no longer download a new security certificate here [skandiabanken.no] in Opera 9.x, it just gives me a blank cert which doesn't work. Worked perfectly in 8.x (hell, I've been using it since Opera 6.x or thereabouts), and still does with an old install I tested. I've gotter better things to do than meddling with settings so now I just use IE/Firefox for that, and Opera 9 for the rest but it's annoying.

Re:Not sold as cosmetic (0, Offtopic)

rapidweather (567364) | more than 7 years ago | (#17493494)

I have Opera 9.10 in my Rapidweather Remaster of Knoppix Linux, a live cd linux.
In addition, I run the browser inside of a "control script" that allows the user to recover if the browser crashes, this being in addition to the normal Opera setup for that purpose. If one closes the browser, the script asks, using a dialog box, if the user wanted to close the browser, yes or no, and if no, then the ~/.opera directory is retained in /ramdisk, and the user gets a dialog box to restart the browser (later, if desired), with the current ~/.opera.

I like Opera, and have it preconfigured with 12 RSS newsfeeds.
I trust Opera to do the right thing when it comes to security, although I have added some security of my own.
Mostly this was done for those that do some online banking, and want to close the browser when finished, but keep the linux system up and running, perhaps for days. Opera is supposed to be a little lighter to run than Firefox or Flock (especially Flock), so I like to have it in the CD.
I have Mozilla Firefox 2.0.0.1, and Flock 0.7.9.1, all set up the same way, although Flock does not have any RSS feeds of my own built in. Do some banking, then switch browsers, closing one.

Once the user decides to finally close Opera, then the entire ~/.opera directory is deleted from /ramdisk.
Starting Opera once again gets a default ~/.opera placed in /ramdisk, that I have customized.

In addition to all of that, one can run any of the web browsers without any of my preconfigured ~/.mozilla, ~/.opera, or ~/.flock, using the menu. Then you get the default configuration, according to the web browser makers setup. Change it to suit yourself, keep that config if you run a "persistent home directory" (OEM knoppix)

-- Rapidweather

But Opera is perfect! (-1, Troll)

WilliamSChips (793741) | more than 7 years ago | (#17490334)

It can't have holes!

Re:But Opera is perfect! (2, Funny)

Anonymous Coward | more than 7 years ago | (#17490408)

If you think perfectness is without holes, you're not dating much.

Re:But Opera is perfect! (2, Funny)

gardyloo (512791) | more than 7 years ago | (#17490490)

If you think perfectness is without holes, you're not dating much.

      Topologically, what you're talking about isn't a hole, it's just an invagination. Oh, wait -- you mean *those* holes. OK, then I agree.

Topological anatomy (1)

cnettel (836611) | more than 7 years ago | (#17490708)

Well, as the ovaries are not directly connected to the invagination of yours, the inner of the abdomen is actually exposed. The topology is hence quite different (in a highly theoretical sense no clear definition of inner vs. outer surface). Or, to quote Trek: "For the world is hollow and I've touched..."

Re:Topological anatomy (0)

Anonymous Coward | more than 7 years ago | (#17498740)

He wasn't talking about ovaries. There are two other openings popular for sexual activity which both sexes have. And since those two openings are connected, humans are toroidal. :)

Re:But Opera is perfect! (1)

WilliamSChips (793741) | more than 7 years ago | (#17499474)

I haven't dated at all, you insensitive clod, but I know it's not a security hole if you're using condoms.

Re:But Opera is perfect! (0)

Anonymous Coward | more than 7 years ago | (#17490828)

Well, all that twitter worship has certainly paid off.

Re:But Opera is perfect! (0)

Anonymous Coward | more than 7 years ago | (#17490874)

A fat lady singing has one massive hole in her...

Re:But Opera is perfect! (2, Funny)

kfg (145172) | more than 7 years ago | (#17490970)

It can't have holes!

Opera is not responsible for the state of its users.

KFG

Re:But Opera is perfect! (1)

Spicerun (551375) | more than 7 years ago | (#17492950)

"Opera is not responsible for the state of its users." KFG
What a wonderful way of saying 'Opera doesn't care about their users.'

Re:But Opera is perfect! (0)

Anonymous Coward | more than 7 years ago | (#17492392)

If it were Firefox, somebody could just write an extension to fix its lack of holes!

Wii (4, Interesting)

neomunk (913773) | more than 7 years ago | (#17490354)

I don't know anything about Wii modding (except that some fine work is being done in the wiimote-pc area) but doesn't the Wii use Opera? Is this going to help in cracking any trusted executable protection I assume (maybe incorrectly) they've used to foil pirates/legitimate backup makers?

Re:Wii (4, Funny)

jpardey (569633) | more than 7 years ago | (#17490732)

Good point. Also, if your Wii has a camera attached, hackers could watch your camera, and trigger your Wii controller to vibrate at precisely the right time to frighten your dog into leaping into your grandmother, killing her.

The best way to correct this flaw is to have no grandmothers. I have nothing to worry about.

Re:Wii (1)

Xymor (943922) | more than 7 years ago | (#17491312)

Just applied your patch, thanks!
Watching all those episodes of Dexter finnaly paid off.

Re:Wii (1)

MobyDisk (75490) | more than 7 years ago | (#17493054)

...your grandmother, killing her. The best way to correct this flaw is to have no grandmothers. I have nothing to worry about.
Then it sounds like this is the kind of hack that fixes itself then!

Re:Wii (1)

marcelo.mosca (772859) | more than 7 years ago | (#17493004)

If it enables homebrew apps on the wii, this is a niiiice thing. Backups are good, but for me, homebrews are the killer app (nothing like poking arround with code :))

Re:Wii (0)

Anonymous Coward | more than 7 years ago | (#17493080)

Yes, the Wii's browser is at least susceptible to the SVG vulnerability...

Hack on people with knowledge!

OMG (2, Funny)

phrostie (121428) | more than 7 years ago | (#17490450)

i bet Microsoft wouldn't do that.
they would be 100% honest with us

Re:OMG (1)

Ash-Fox (726320) | more than 7 years ago | (#17491600)

i bet Microsoft wouldn't do that.
they would be 100% honest with us
This is how Microsoft would probably report it:

A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles Joint Photographic Experts Group (JPG and JPEG) images. An attacker could exploit the vulnerability by constructing a specially crafted JPG image that could potentially allow remote code execution if a user visited a malicious Web site or opened a specially crafted attachment in e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Targeted attacks (1, Informative)

Anonymous Coward | more than 7 years ago | (#17490556)

I work in corporate security at a household-name dotcom. The big news story from 2006 was the dramatic increase in targeted attacks. These are small runs of unique malware (usually variants of well-known classes such as SDBot, SpyBot etc, tweaked until they get past desktop a/v software, though there's also been a significant reduction in time from bug to malware, and of 0days found in use in the wild - signs of increasing technical sophistication of the malware authors) which are used to attack a small range of companies, or even a specific company. The idea is that there aren't enough samples in circulation to register on the radar of the traditional a/v companies. End-users in large corporates are used to the idea that IT keeps their A/V up to date, and they have decent firewalls and so on, and that false sense of security is their undoing. The targeted nature of the attacks means that the attacker can spend more time researching the victim company (getting the names of senior managers, for instance, to help with the social-engineering text to which the malicious Word doc is attached. Sooner or later a specific company is going to lose significant amounts of money, and eventually investors (and analysts) will wake up to the importance of REAL security, rather than the "we have a firewall and a/v, and we roll out Microsoft patches within a couple of weeks of Patch Tuesday. Why should we worry?" attitude which even very large organisations get by with. (This stance would have been called "best practice" five or six years ago, when every Windows server had half a dozen remote unauthenticated root vulns in network services. These days, client software is the vector of choice -- audio and video files, word processing, spreadsheet and presentation documents, that sort of thing.

(There's also been an outbreak of "geek spam" (phishing, typically) containing technical jargon in an attempt to get under IT geeks' radar, but that's a story for another day... Don't be fooled! :)

embedded Opera also subject to these two things? (4, Interesting)

artifex2004 (766107) | more than 7 years ago | (#17490568)

I wonder if they tried to hide some of these because there may be devices with embedded Opera that can't be upgraded.

Re:embedded Opera also subject to these two things (1)

The MAZZTer (911996) | more than 7 years ago | (#17490814)

Most exploits tend to target desktop/laptop PCs, so the risk is much less for embedded systems (unless they run a desktop OS).

Updating? (1)

ms1234 (211056) | more than 7 years ago | (#17490646)

Would you update a system (production if you will) for cosmetic updates? What about security updates?

Our product is more secure (1)

UED++ (1043486) | more than 7 years ago | (#17490832)

Because we STFU about security vulnerabilities nobody will exploit them and our users are safe. :)

Why be secretive? (3, Insightful)

Rosco P. Coltrane (209368) | more than 7 years ago | (#17491050)

The truth is, Opera has such small share of the browser market that it just doesn't matter if the entire world knows about a remote exec hole or not: no cracker or pirate is going to code for such a small fish.

What's more, by not disclosing vulnerabilities and coding being the back of the users, it just makes the development team look like they've acquired their development habbits at Microsoft.

So I'd say Opera loses by hiding this...

Re:Why be secretive? (1)

Pusene (744969) | more than 7 years ago | (#17491580)

Youy're right about Opera losing by hiding the information, but you are dead wrong about calling it "small fish". With an installed base of 1.5% this is still several millions of computers you can infect, controll and monitor. Don't forget about the BlackICE (http://it.slashdot.org/article.pl?sid=04/03/21/00 23254 [slashdot.org]) incident some time ago, no fish are too small on the internet due to the law of large numbers.

Problem isn't exactly fixed yet ... (1, Offtopic)

Jammet (709764) | more than 7 years ago | (#17491176)

You can still crash Opera 9.1 simply by opening this image:

http://img206.imageshack.us/img206/5597/img000211u q0.jpg [imageshack.us]

Perhaps it is even possible to exploit the problem in one way or another. I've sent that info to Operas bug-tracking system about a week ago.

Opera-side discussion for this bug is here:

http://my.opera.com/community/forums/topic.dml?id= 172354&t=1168112391&page=1 [opera.com]

Re:Problem isn't exactly fixed yet ... CONFIRMED (0)

Anonymous Coward | more than 7 years ago | (#17492204)

Mod parent up, confirmed this on Opera 9.10 on WinXP SP2.

Re:Problem isn't exactly fixed yet ... (0)

Anonymous Coward | more than 7 years ago | (#17493130)

I cannot crash Opera 9.10 on Windows XP SP2 by opening this image: http://img206.imageshack.us/img206/5597/img000211u q0.jpg [imageshack.us] .

I went to that url immediately before posting this.

What is supposed to happen?

Re:Problem isn't exactly fixed yet ... (1)

Jammet (709764) | more than 7 years ago | (#17496374)

It's supposed to crash. Of all the people who tried it you seem to be the first where it actually did not cause a crash. Probably a good sign.

Still, I wonder why the heck this problem has been modded offtopic now. There is nothing that could be done to make it even more ontopic than it already is.

Re:Problem isn't exactly fixed yet ... (1)

VGPowerlord (621254) | more than 7 years ago | (#17493694)

Confirmed. That image crashed Opera 9.10 on my Windows XP SP2 system.

Except that I'm not going to post as an AC.

Opera wouldn't be the only product... (3, Insightful)

kiwioddBall (646813) | more than 7 years ago | (#17491490)

I'm sure nearly every downloadable product patches security flaws in secret. Fixing a bug just isn't worth making a big song and dance about in a large number of cases. Secondly, the slashdot article assumes that it is known how to exploit a software bug. It is is extremely hard to work out all the possible ways to exploit a software bug. It is a lot easier to just fix the issue.

The only reason this article was written is because someone actually disovered a security bug that had been fixed but not reported in Opera. This is absolutely no reason to slam Opera. Just becasue the writer found out about it is no reason at all. You're only hurting Opera because they fix security issues. The same argument could apply to Internet Explorer (spare me any IE flaming please).

Thirdly, Opera is not the most widely used browser. The fact is that any bug in Opera is not likely to be worth the time to exploit. Any exploit would only have a very remote chance of actually taking place. You have to lure someone to view your specially crafted JPG, and secondly they have to be using Opera to do it. Not very likely.

In summary, more FUD on Slashdot.

Re:Opera wouldn't be the only product... (1)

dvice_null (981029) | more than 7 years ago | (#17491746)

> I'm sure nearly every downloadable product patches security flaws in secret.

Except open source products, because they really kind hide it. They might not mention it on the change log (while they usually do), but even if they don't, users can see it from the code.

I don't think Opera is fighting that much with IE as it is with Firefox (which we all know, is open source). So this is quite interesting news. Especially if you think that the security hole was known by a security company, so they probably wanted to reveal the hole if Opera wouldn't do that. Which raises the question: How many holes have Opera found internally, and not revealed those at all, ever?

Ever wondered why there are so little security holes in Opera? It's not like they would have the best programmers in the world. Microsoft has more money and Firefox has more developers, yet both of them seem to have more holes, which seems unrealistic.

Re:Opera wouldn't be the only product... (1)

Toram (1041694) | more than 7 years ago | (#17530158)

Neither a lot of money nor a lot of people will give you good code. Good programmers and good QA does. Anyone remember the guy who was out to "publish a security bug a week", only to find Opera 9 was more secure than he had hoped?

dev blogs and such (2, Insightful)

XO (250276) | more than 7 years ago | (#17491642)

They've certainly made no secret about it in the dev blogs, and other places. I think the problem just lies in a minor disconnect between what the people writing the changelogs as being important, and what the slashdot people see as important.

Opera needs better public changelogs, and could use an improved bug tracking system on the public side, but other than that it's a damn fine browser.

Re:dev blogs and such (2, Informative)

richlv (778496) | more than 7 years ago | (#17498154)

oh, i know opera people will be reading this thread ;)
please, please give us an open bugzilla. that will benefit you and that will benefit your users - problems will not be reported 10 times, only 2 or 3 ;), they will be reproduced and confirmed by more people and so on.

if you feel that some bugs (like security problems) would be much better handled in a non-public way - hey, most security researchers know how to contact security@whatever.org - and you probably could do what novell are doing - a checkbox in a bug submitting form "this should be viewable only by opera" and so on.

Sloooow New Day, huh (1, Funny)

Mex (191941) | more than 7 years ago | (#17492064)

Web Browser receives patch, news at 11!

Also, what I had for breakfast today, stay tuned for my full report, right after these messages!

Re:Sloooow New Day, huh (1)

Emetophobe (878584) | more than 7 years ago | (#17498764)

Also, what I had for breakfast today, stay tuned for my full report, right after these messages!
Someones been eating a lot of fiber..

this is why we need FULL DISCLOSURE (-1)

Anonymous Coward | more than 7 years ago | (#17492290)

No waiting period. No "responsible" disclosure. No hand jobs for companies that can't write secure code.

If you find a bug, tell *me*, the user of the software. Tell me *right away*. Or keep the bug to yourself, which is your right.

ESPECIALLY if it's closed-source.

I hope these security "researchers" (I don't like that word, it makes it seem like security bugs appear naturally, rather than being something that a human hand created through negligence) learn their lesson and report the bug DIRECTLY TO THE USERS next time.

Companies don't like to vet their software for security holes. They'd rather somebody else do it for free. Don't give them this luxury, especially if they don't respect their users enough to even give them the source code so they can run "diff" themselves.

you fa1l it... (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#17492448)

and that the fllor man walking. It's EFNet servers. a way to spend as those non gay, a previously 4.1BSD product, is the group that the next round of

Ta3o (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17494208)

To say there have told reporters, year contract. teeth into when NIGGER ASSOCIATION encountered while The goodwill are tied up in then disappeared

That's horrible! (0)

Anonymous Coward | more than 7 years ago | (#17495210)

I'm going back to IE immediately. The nerve of those Opera folks. Hummppfff.

Open Source (1)

EvilRyry (1025309) | more than 7 years ago | (#17502434)

OK, only vaguely related to the article (the whole developement transparency thing) but why doesn't Opera open source?
They're not making any money on the desktop version of the browser anymore AFAIK. They seem to be making all their money on developing ports to embedded devices (PDAs, Cell Phones, etc). They could still continue to do that and continue making money doing so.
I'm sure Opera would quickly become much more popular as a Free product. It is fast, stable, and standards compliant.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...