A security vulnerability identified in Opera can be exploited to crash users' browsers, but probably can't lead to the remote execution of malware, a company spokesman said. The buffer overflow bug was disclosed by Vupen Security on Thursday, and the report has since been picked up by others, including Secunia and Sans. The …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Friday 5th March 2010 23:31 GMT Robert Hill

Poor Dan...

Now you've gone and done it, now you've signed your own death warrant. I suggest hiding out in Mongolia for a few months...

You cannot attack Opera and expect to live. Not even a negative mention. The freetards and the commentards will not allow it to happen. You have maybe not killed, but certainly stuck a pointy stick into a sacred cow.

I understand a certain NASA engineer is selling "personal air devices" for just such rapid escapes as the one you will be needing...good luck, and don't forget to write. Perhaps you can tell us if Mongolian women really do wash their armpits....

8 6
1. Saturday 6th March 2010 18:52 GMT Anonymous Coward
  
  Yawn
  
  What on earth are you ranting on about?
  
  Attack Opera?
  
  NASA?
  
  Been drinking too much again?
  
  0 0
Friday 5th March 2010 23:33 GMT heyrick

<smile!> Told you so...

I'm a Firefox "fanboi" because it does the things I want it to do and it offers the add-ons I am looking for, despite having some security issues.

Despite, because nothing is secure, Opera has just proved this.

Don't want to sound smug, but given the flack I've taken for not ditching Firefox and switching to Opera... it's kinda hard not to. :-) And, whoo, it's a crowd pleaser. You don't need to click on anything dodgy, it is a messed-up HTTP header. Hehe, I could throw together some lame PHP to kill Opera. Nice one.

Anyway, point is, where there's a will there's a way.

Oh, and Opera - congratulations and welcome to the real world. I guess this is an indication that your market share is increasing nicely?

3 1
1. Saturday 6th March 2010 18:52 GMT Anonymous Coward
  
  Nothing is secure?
  
  Uh, right, all applications have security holes. What's your point?
  
  If you think this is Opera's first security hole, then you are extremely ignorant.
  
  It's just that they are so rare, I guess.
  
  "I could throw together some lame PHP to kill Opera. Nice one."
  
  And I could throw together something to trigger a crash bug in Firefox. Your point being?
  
  0 0
  1. Monday 8th March 2010 10:32 GMT heyrick
    
    @ AC
    
    My point being that this is a bugette that could be triggered with a single line of PHP code and _nothing_ else. Pretty nifty, huh?
    
    First security hole? Nope. First crowd pleaser? Perhaps.
    
    0 0
    1. Tuesday 9th March 2010 09:13 GMT Anonymous Coward
      
      Crowd pleaser?
      
      Excuse me, but are you drunk or something?
      
      Most crashes or security holes are down to pretty simple code. You can crash just about any browser with a single line of PHP and nothing else if you put the right stuff there.
      
      How does this make anything a "crowd pleaser"? Who's pleased? Rabid Firefox fanboys who can't handle the fact that Firefox had the most security holes by far in 2009?
      
      0 0
2. Saturday 6th March 2010 18:52 GMT Anonymous Coward
  
  Nothing is secure
  
  ...true enough. And Opera does get the odd vulnerability from time to time. The main difference between Opera and other browsers is that -now the vulnerability is known- Opera are on the case. I get information on how to secure my system in the meantime (usually, and if it's possible) and I know there will be a fix for it pretty quickly.
  
  "Don't want to sound smug, but given the flack I've taken for not ditching Firefox and switching to Opera"
  
  As an Opera user, I WANT you to keep using Firefox. While Opera has minimal market share, the virus-writers concentrate on everybody else. Easylife.
  
  0 0
Saturday 6th March 2010 00:31 GMT Anonymous Coward

Poor Robert

I think most Opera users, like myself, are well aware that Opera is not immune from the odd vulnerability. This certainly is not the first, and likely won't be the last. It's a reality and thankfully some of us are blessed in that we were born without a pair of rose tinted glasses surgically attached to our faces. Everyone else uses Firefox.

Meanwhile, life goes on.

6 2
Saturday 6th March 2010 01:49 GMT Steve 72

Meanwhile...

K-Meleon 1.54 was released today, Secunia report on previous version:

"There are no unpatched Secunia advisories..."

0 0
1. Saturday 6th March 2010 18:52 GMT Anonymous Coward
  
  K-Meleon crashes
  
  I know about multiple crash bugs in K-Meleon. For some reason they are not reported as "vulnerabilities" as this crash bug in Opera is.
  
  So that there are no unpatched vulnerabilities is nonsense, if crash bugs are vulnerabilities.
  
  0 0
  1. Monday 8th March 2010 10:22 GMT Steve 72
    
    Interesting
    
    I've been using K-Meleon as a secondary browser for over a year now and I can't actually recall it crashing. Same goes for checking out v1.6 alpha. Guess my system just works.
    
    0 0
Saturday 6th March 2010 01:49 GMT windywoo

@ Robert Hill

What do freetards have to do with Opera? I presume you are referring to OSS advocates. Opera is not Open Source and never has been.

3 0
Saturday 6th March 2010 18:52 GMT Lars

No problems

with Opera on Linux then, I suppose.

0 0
1. Monday 8th March 2010 21:35 GMT Mal Adapted
  
  Opera on Linux is OK
  
  I'm using Opera on Linux, but only for streaming radio. Not that I think it's only good for that, it's just what I've used it for so far.
  
  0 0
Saturday 6th March 2010 18:52 GMT Neal 5

It's hard to believe

that even after the Google hacking episode and all the furore that surrounded it and IE6, that people are still unaware of DEP, or how to activate it, or even more so that they haven't yet done so. Some people don't even know how to help themselves, not saying that they deserve problems because of it though. On the contrary, in a perfect world, who would need DEP to begin with.

Onwards, to Opera, according to Secunia PSI, which many people swear by, Opera is still rated the safest browser, it doesn't follow that it's the best, just the safest at the moment.

Personally, I can't get on with it (Opera 10.5) at the moment, the interface is too, hmmm, draining for my needs.

0 0
Saturday 6th March 2010 18:52 GMT Anonymous Coward

Mud slinging...

from a Firefix fan surely.

However the fact remains, Opera has a unparalleled security track record. If you want to be secure online, Opera is your best bet.

0 1
Saturday 6th March 2010 18:52 GMT Anonymous Coward

does it work under Linux

Does it work under Linux and are there any links to workign demos of the 'exploit'.

0 0
Saturday 6th March 2010 18:52 GMT heyrick

DEP

I switched on complete DEP (the hardware can do it, so less of a speed hit).

The first thing that keeled over dead was VisualBasic*. Heehee... But I guess that was back in the days before Microsoft knew how to code... oh, wait. :-)

* - under Windows, I want to get a program going with minimal fuss, hence VB. I can C, but it always seemed a pain in the ass to get Windows applications going, never mind enough boilerplate to have a functional window. If I want to code as a cathartic experience, that what ARM assembler is for.

0 0
1. Monday 8th March 2010 10:26 GMT Nick Thompson
  
  Which VB version?
  
  Are you talking about VB6 here?
  
  If so you might want to take a look at c#, much quicker to write simple utilities than C/C++ while faster and less annoying in so many ways than VB6. Much nicer language to work with once you get used to it.
  
  0 0
2. Monday 8th March 2010 10:36 GMT Charles 9
  
  Re: DEP
  
  Kinda makes sense DEP kills Visual Basic. Programming tools are among the apps that DEP cannot protect since it (by design) manipulates code--IOW, for a programming tool, code is data is code; they're one and the same.
  
  0 0
Monday 8th March 2010 10:22 GMT e n

poc

There is a POC here http://www.hack0wn.com/view.php?xroot=672.0&cat=exploits

But I have no idea what's is supposed to prove. All I can say is that nothing happen when I load this page or download the php file. Is that supposed to crash and display a message ? It doesn't, not for me anyway.

1 0
Monday 8th March 2010 10:26 GMT Richard 12

@heyrick

If the only reason you're using VB is because MFC and ATL suck, then grab a copy of Qt.

(Qt Creator is a pretty good IDE now as well.)

All the tedious boilerplate goes away into autogenerated code and you can get on with the actual nuts'n'bolts of what the program is supposed to do - and most of the time it'll run under Linux and Mac as well. (Assuming you aren't poking the Win API or other windows-only things)

With regards to this failure - all applications that talk to that outside world are likely to have vulnerabilities. What matters is how the writers of the software respond to those vulnerabilities.

Mozilla and Opera have a very good record - they both accept that the bugs and vulnerabilities exist, and fix them pretty quickly. Microsoft do neither, which is why they are bad.

To be fair, MS have got a bit better - though they still insist on 'insecure by design' models for a lot of stuff. (ActiveX!)

1 0
Monday 8th March 2010 10:26 GMT Anonymous Coward

how ?

I've posted a comment, yet it has not been published. I guess it's because of the link to the POC. Ok, then, I don't post the link, you can easily find it anyway. But I'm answering the question again : how does it work ? Because I've been to the page with Opera 10.10 and nothing happened. No crash, no message, nothing. So, what it's supposed to do ?

0 0
1. Monday 8th March 2010 15:49 GMT Robert Carnegie
  
  Maybe it is Opera 10.50 only.
  
  Secunia and Vulpen are only saying confirmed on 10.50. A lot of things were rewritten for that. Whoops? If you have Opera 10.10 ... waiting for 10.51 seems like not a bad idea now... probably a day or so.
  
  Apparently 10.50 is also unkind to things such as bookmarks(?) during installation, but I think there's a way to back those up - look into it.
  
  The attack is only supposed to crash Opera, but I think only if you're a researcher or an easily amused idiot should you look at a web page which demonstrates how to hack into your computer - particularly if you don't know the host.
  
  0 0
  1. Tuesday 9th March 2010 09:13 GMT Anonymous Coward
    
    Bookmarks
    
    Hun? Bookmarks work fine after upgrading.
    
    0 0
    1. Tuesday 9th March 2010 12:20 GMT Robert Carnegie
      
      Be glad when it works
      
      Prepare for when it doesn't work. Back up. Repopulating your bookmarks (or your complicated session - save that too) is... tedious. Better safe than sorry.
      
      0 0
Monday 8th March 2010 10:36 GMT Patrick O'Reilly

M$ Bliss

just tried to look up how to enable DEP for Xp but when I tried to view the man page in Opera Mini it appeared all jumbled.

anyone got a copy of Opera Bjork Edition knocking about?

0 0
Tuesday 9th March 2010 12:24 GMT Robert Carnegie

DEP recipe

Found (google {DEP XP} ! ) at http://www.tech-recipes.com/rx/566/xp-sp2-how-to-turn-off-the-data-execution-prevention-feature-dep/

If it is considered fair to quote the lot (yes, this is how to turn OFF for one or more programs):

1. Click Start

2. Select Control Panel

3. Select System

4. Click the Advanced tab

5. In the Performance region select Settings

6. Click the Data Execute tab in the dialog box that opens

7. Select Turn on DEP for all programs and services except for those I select

8. Click Add.

9. The open dialog box will open. Browse and select your application.

10. Click Open

11. Click Apply

12. Click Ok

13. Reboot

I i!think you need a DEP-compatible processor as well as XP Service Pack 2 or 3.

0 0
Friday 12th March 2010 16:50 GMT JP19

Desn't Crash

Been using Kmeleon for more than a year too as default browser. Everyonne I know who uses that browser swears by the stability and speed. I never had it crash so You probably had a bad install or something?

0 0