Opera says bug probably can't commandeer machines
A security vulnerability identified in Opera can be exploited to crash users' browsers, but probably can't lead to the remote execution of malware, a company spokesman said. The buffer overflow bug was disclosed by Vupen Security on Thursday, and the report has since been picked up by others, including Secunia and Sans. The …
Now you've gone and done it, now you've signed your own death warrant. I suggest hiding out in Mongolia for a few months...
You cannot attack Opera and expect to live. Not even a negative mention. The freetards and the commentards will not allow it to happen. You have maybe not killed, but certainly stuck a pointy stick into a sacred cow.
I understand a certain NASA engineer is selling "personal air devices" for just such rapid escapes as the one you will be needing...good luck, and don't forget to write. Perhaps you can tell us if Mongolian women really do wash their armpits....
What on earth are you ranting on about?
Attack Opera?
NASA?
Been drinking too much again?
I'm a Firefox "fanboi" because it does the things I want it to do and it offers the add-ons I am looking for, despite having some security issues.
Despite, because nothing is secure, Opera has just proved this.
Don't want to sound smug, but given the flack I've taken for not ditching Firefox and switching to Opera... it's kinda hard not to. :-) And, whoo, it's a crowd pleaser. You don't need to click on anything dodgy, it is a messed-up HTTP header. Hehe, I could throw together some lame PHP to kill Opera. Nice one.
Anyway, point is, where there's a will there's a way.
Oh, and Opera - congratulations and welcome to the real world. I guess this is an indication that your market share is increasing nicely?
Uh, right, all applications have security holes. What's your point?
If you think this is Opera's first security hole, then you are extremely ignorant.
It's just that they are so rare, I guess.
"I could throw together some lame PHP to kill Opera. Nice one."
And I could throw together something to trigger a crash bug in Firefox. Your point being?
...true enough. And Opera does get the odd vulnerability from time to time. The main difference between Opera and other browsers is that -now the vulnerability is known- Opera are on the case. I get information on how to secure my system in the meantime (usually, and if it's possible) and I know there will be a fix for it pretty quickly.
"Don't want to sound smug, but given the flack I've taken for not ditching Firefox and switching to Opera"
As an Opera user, I WANT you to keep using Firefox. While Opera has minimal market share, the virus-writers concentrate on everybody else. Easylife.
My point being that this is a bugette that could be triggered with a single line of PHP code and _nothing_ else. Pretty nifty, huh?
First security hole? Nope. First crowd pleaser? Perhaps.
Excuse me, but are you drunk or something?
Most crashes or security holes are down to pretty simple code. You can crash just about any browser with a single line of PHP and nothing else if you put the right stuff there.
How does this make anything a "crowd pleaser"? Who's pleased? Rabid Firefox fanboys who can't handle the fact that Firefox had the most security holes by far in 2009?
I think most Opera users, like myself, are well aware that Opera is not immune from the odd vulnerability. This certainly is not the first, and likely won't be the last. It's a reality and thankfully some of us are blessed in that we were born without a pair of rose tinted glasses surgically attached to our faces. Everyone else uses Firefox.
Meanwhile, life goes on.
K-Meleon 1.54 was released today, Secunia report on previous version:
"There are no unpatched Secunia advisories..."
I know about multiple crash bugs in K-Meleon. For some reason they are not reported as "vulnerabilities" as this crash bug in Opera is.
So that there are no unpatched vulnerabilities is nonsense, if crash bugs are vulnerabilities.
I've been using K-Meleon as a secondary browser for over a year now and I can't actually recall it crashing. Same goes for checking out v1.6 alpha. Guess my system just works.
What do freetards have to do with Opera? I presume you are referring to OSS advocates. Opera is not Open Source and never has been.
I'm using Opera on Linux, but only for streaming radio. Not that I think it's only good for that, it's just what I've used it for so far.
that even after the Google hacking episode and all the furore that surrounded it and IE6, that people are still unaware of DEP, or how to activate it, or even more so that they haven't yet done so. Some people don't even know how to help themselves, not saying that they deserve problems because of it though. On the contrary, in a perfect world, who would need DEP to begin with.
Onwards, to Opera, according to Secunia PSI, which many people swear by, Opera is still rated the safest browser, it doesn't follow that it's the best, just the safest at the moment.
Personally, I can't get on with it (Opera 10.5) at the moment, the interface is too, hmmm, draining for my needs.
from a Firefix fan surely.
However the fact remains, Opera has a unparalleled security track record. If you want to be secure online, Opera is your best bet.
Does it work under Linux and are there any links to workign demos of the 'exploit'.
I switched on complete DEP (the hardware can do it, so less of a speed hit).
The first thing that keeled over dead was VisualBasic*. Heehee... But I guess that was back in the days before Microsoft knew how to code... oh, wait. :-)
* - under Windows, I want to get a program going with minimal fuss, hence VB. I can C, but it always seemed a pain in the ass to get Windows applications going, never mind enough boilerplate to have a functional window. If I want to code as a cathartic experience, that what ARM assembler is for.
Are you talking about VB6 here?
If so you might want to take a look at c#, much quicker to write simple utilities than C/C++ while faster and less annoying in so many ways than VB6. Much nicer language to work with once you get used to it.
Kinda makes sense DEP kills Visual Basic. Programming tools are among the apps that DEP cannot protect since it (by design) manipulates code--IOW, for a programming tool, code is data is code; they're one and the same.
There is a POC here http://www.hack0wn.com/view.php?xroot=672.0&cat=exploits
But I have no idea what's is supposed to prove. All I can say is that nothing happen when I load this page or download the php file. Is that supposed to crash and display a message ? It doesn't, not for me anyway.
If the only reason you're using VB is because MFC and ATL suck, then grab a copy of Qt.
(Qt Creator is a pretty good IDE now as well.)
All the tedious boilerplate goes away into autogenerated code and you can get on with the actual nuts'n'bolts of what the program is supposed to do - and most of the time it'll run under Linux and Mac as well. (Assuming you aren't poking the Win API or other windows-only things)
With regards to this failure - all applications that talk to that outside world are likely to have vulnerabilities. What matters is how the writers of the software respond to those vulnerabilities.
Mozilla and Opera have a very good record - they both accept that the bugs and vulnerabilities exist, and fix them pretty quickly. Microsoft do neither, which is why they are bad.
To be fair, MS have got a bit better - though they still insist on 'insecure by design' models for a lot of stuff. (ActiveX!)
I've posted a comment, yet it has not been published. I guess it's because of the link to the POC. Ok, then, I don't post the link, you can easily find it anyway. But I'm answering the question again : how does it work ? Because I've been to the page with Opera 10.10 and nothing happened. No crash, no message, nothing. So, what it's supposed to do ?
Secunia and Vulpen are only saying confirmed on 10.50. A lot of things were rewritten for that. Whoops? If you have Opera 10.10 ... waiting for 10.51 seems like not a bad idea now... probably a day or so.
Apparently 10.50 is also unkind to things such as bookmarks(?) during installation, but I think there's a way to back those up - look into it.
The attack is only supposed to crash Opera, but I think only if you're a researcher or an easily amused idiot should you look at a web page which demonstrates how to hack into your computer - particularly if you don't know the host.
Prepare for when it doesn't work. Back up. Repopulating your bookmarks (or your complicated session - save that too) is... tedious. Better safe than sorry.
just tried to look up how to enable DEP for Xp but when I tried to view the man page in Opera Mini it appeared all jumbled.
anyone got a copy of Opera Bjork Edition knocking about?
Found (google {DEP XP} ! ) at http://www.tech-recipes.com/rx/566/xp-sp2-how-to-turn-off-the-data-execution-prevention-feature-dep/
If it is considered fair to quote the lot (yes, this is how to turn OFF for one or more programs):
1. Click Start
2. Select Control Panel
3. Select System
4. Click the Advanced tab
5. In the Performance region select Settings
6. Click the Data Execute tab in the dialog box that opens
7. Select Turn on DEP for all programs and services except for those I select
8. Click Add.
9. The open dialog box will open. Browse and select your application.
10. Click Open
11. Click Apply
12. Click Ok
13. Reboot
I i!think you need a DEP-compatible processor as well as XP Service Pack 2 or 3.
Been using Kmeleon for more than a year too as default browser. Everyonne I know who uses that browser swears by the stability and speed. I never had it crash so You probably had a bad install or something?
Sign up, sign up for The Register's weekly IT security newsletter - click here
