Feeds

back to article Opera lances 'extremely severe' jpg bug

Opera has published an update to its flagship browser software that addresses a raft of security bugs. The version 9.64 update, released Wednesday, fixes a flaw that means maliciously crafted JPEG images can cause Opera to crash in such a way that arbitrary code gets executed. Opera describes the flaw as "extremely severe", and …

COMMENTS

This topic is closed for new posts.
Thumb Up

Weirdly...

It wouldn't allow me to scroll youtube pages last night, while on 9.63, as they'd go really funny... but service resumed as normal when i upgraded to 9.64.

just found that odd, as it worked perfectly the night before.

Opera's break the internet until you update tactic worked a treat methinks. They're always one step ahead... 2nd only to microsoft whose tactic is just break the internet.

0
0
Anonymous Coward

@Ideala2

You're suggesting that Opera somehow managed to get an update into your browser that stopped it working properly in order to force you to download an update? If they could have done that then they could have applied the bug fix without your needing to download the update. Or maybe the bug fix couldn't penetrate your tinfoil hat.

On a more sensible note why the fsck are they taking so long to get 10 out? I've been running the alpha for what seems like an age and I find it pretty stable.

0
0
Silver badge

Oooh , "Data Execution Prevention technology"!

Sounds really cool and cutting edge. But on other operating systems (who really should know better) they just use this funny old method of not running everything the user requires including the browser with admin priviledges. That way if some nasty malware does get on board the PC it can't crap out the OS. I know, its quaint old fashioned way of doing things , but strangely it works. Who'd have thought?

0
0
Bod

Welcome to 2004

These JPG vulnerabilities were locked down years ago.

Of course Opera stated they weren't vulnerable to the flaw that affected IE because they don't use Microsoft's GDI that had the flaw (http://www.opera.com/support/kb/view/780/).

And yet they went smugly on with a similar flaw in their own JPEG decoder!

0
0

Thanks

Thanks for the heads up, Mr TheReg. And thanks to Opera for a quick and frank fix.

0
0
Flame

jpeg libraries?

how many jpeg libraries are available on the web and how many of them are older than your mother, how many times do companies insist on writing their own crappy version instead of just using a normal off the shelf library.

must be the licence they hate, cause it's not like there is a shortage of jpeg libraries out there, I am sure one of them must be completely secure by now, the amount of time they are around for.

anyone know what jpeg library opera uses?

0
0
Jobs Horns

@Ideala2

The changelog shows that there are a few minor changes, not just the JPG bug fix. I think the official changelogs are just an overview and sometimes they let in a few minor tweaks that don't get documented but do result in some problems going away.

0
0
Bronze badge

Re: Jpeg Libraries

If I remember correctly, Opera used the standard libjpeg until recently, when one of their coders came up with an allegedly much smaller and faster replacement (apparently with the added bonus of being much more insecure too!). He was probably doing that as an excuse not to fix the manny annoying bugs that have plagued Opera since version 7 and still plague Opera 9.64.

0
0
Joke

Should any of you return:

Of course i wasn't -really- suggesting that Opera worked less well in order to get me to upgrade, it was just coincidental - and the timing rather amusing.

It's more likely something hadn't launched right when i first started it and the update caused opera + plugins to restart, or that youtube had made a minor change on their site, which adversely affected Opera, and was subsequently fixed along with the vuln as AC said.

And here was I thinking that the joke alert icon was just a joke. Apparently, you really need it!

0
0

Data Execution Prevention Technology

From Our Research Department.

Which is in Deptford, obviously.

0
0
Happy

But but...

"A bug?!

In Opera?!

But kind Sir, you are surely mistaken?!

Opera doesn't have bugs - especially security related ones!?

I have been assured so many times by authors on this very web repository"

Ah, the pleasure of living in glass houses.....

0
0
Anonymous Coward

@Chris Thomas

How many JPEG libraries will run unmodified on all the operating systems and devices that Opera is available for, and with the limited resources that those devices have? Opera rolled their own because it gave a better experience than an off-the-shelf package. I remember JPEG decoding on EPOC Web (using a third-party library) and it was painful, even on faster Psions like the Series 7.

@Neil Stansbury

I think you're imagining things here. I don't remember anyone seriously saying what you're alleging. But never fear, there's another raft of security holes for Firefox today too. I look forward to your comments appearing under that article...

0
0

Anyone else noticed?

You close a tab, in Opera, these days, and then go to Edit > Undo (or ctrl-z / command-z, if you're a shortcut freak), and it reopens the tab you just closed... on the page it was on previousl..., with it's entire brower history intact... even if you happen to be navigating halfway through that browser history.

In fact, you can shut the browser down and reopen it (hell, you can shut the entire -computer- down, and restart it) and it -still- works.

Very cool feature, for sure - how many times have any of us closed the wrong tab down accidentally? - but I wonder at the security implications... All this data is presumably written, somewhere. Let's hope it's written somewhere Fort-Knox-secure.

How long before the other browsers get this feature - and what bets they'll be able to reimplement it, without ballsing-up the security?

0
0
Tim

@ Daniel

It's done that for quite a while, and yes it is jolly useful too. Re security, there is a setting somewhere to delete most stuff on exit. I also disable the Wand feature.

Opera has loads of features I like, as well as it being quicker, (love the easy-to-use ad-blocker, particularly useful in ebay nowdays)... though I could never get on with (/remember) mouse gestures. I keep meaning to try the voice control feature too - has anyone had a go at that?

Tim#3

0
0
Flame

@anonymous coward

since nobody cares about EPOC anymore, and libjpeg and friends compile on pretty much any platform, I would say that it's incredibly stupid to think that writing your own is a good idea, like the commenter above says it. Some smarty pants thought he was clever to write his own and it includes bugs whereas the standard ones which are like 10 years old, all have them squished out, why? because of sheer time and exposure eliminates these things.

(I'm almost sure you could compile libjpeg for EPOC as well)

it's all been done before, EXCEPT in a brand new, completely untested codebase.

I am thinking that this isnt the "better expereicen" that you're referring to, but it's only that almost all coders know a brand new codebase will give their users.

Opera: FAIL

0
0
Bronze badge
Flame

Typical Bloody Opera

Thier "fix" for a bug in their SSL implementation that affected about 2 websites now causes about 1 in 20 websites using SSL to hang when loading, instead of just 2. Typical bloody Opera. No wonder I use Firefox so much these days.

0
0

This post has been deleted by a moderator

Anonymous Coward

@Chris Thomas

You don't quite get it. They rolled their own because it was faster and more efficient for *their* purposes and made it easier to use on different platforms, including those with just a few MB to run in.

And it wasn't very insightful to worry about whether people care about EPOC anymore. The point was that a web browser was made for a platform with limited resources (Psions) that used a third party 'one size fits all' JPEG library and it was not a pleasant experience for its users. The same thing applies today for mobile phones - which are important to Opera, along with the requirement for the same code to run on all platforms.

Thanks for picking up on my typing by the way. It's important we focus on such things when talking about JPEG libraries.

The simple fact is that Opera wrote some new software and it has some bugs in it. Wow, most people write perfect code the first time. When was the last time you heard of any bugs in Windows, Firefox, Apache, MySQL or PHP? Yeeees.

What I find strange is why so many people have a problem with some company doing whatever it likes with its product and resources. Why does it offend you? Other programs introduce new features or replace blocks of code and introduce bugs all the time, what's so special about a JPEG decoder?

0
0
Bod

@AC

"The simple fact is that Opera wrote some new software and it has some bugs in it"

There's introducing new bugs, and then there's repeating the obvious mistakes that have gone before.

This was a schoolboy error. If you are implementing a JPEG library, given the history of these vulnerabilities, it would be one of the key things to check. Given also how mature JPEG rendering is, the thing should work flawlessly without possibility of crashes by now, but then it's madness to be reinventing the wheel in this case.

Of course if Opera was open source, some eagle eyed geeks would have spotted this flaw immediately before the code was allowed to get beyond beta.

0
0
This topic is closed for new posts.