Opera patches browser flaws

Opera patches browser flaws

Summary: A new version of the Opera browser has been released with patches for a range of security vulnerabilities. The new Opera 9.

SHARE:
TOPICS: Browser
28
A new version of the Opera browser has been released with patches for a range of security vulnerabilities.

The new Opera 9.20, available for download here, fixes five security issues that put users at risk of cross-site scripting attacks.

Opera lists this as a "recommended upgrade" that provides cover for the following issues.:

  • Fix for character encoding inheritance issue with frames, which could enable cross-site scripting. See advisory.
  • Fixed an issue regarding handling of FTP PASV response.
  • XMLHttpRequest now treats separate ports on the same server as a different server.
  • Fixed an issue where scripts could continue to run after leaving the page.

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • Ryan Naraine you are coming off like a SECURITY GOD .

    I like your un-biased approach to every issue plaguing everything . Keep up the GREAT work , others at ZDNET could learn quite a few things from you .
    Betond the vista , a Leopard is stalking .
    • I don't appreciate the fact how ZDNET is screwing around with my login name

      Stop it already .
      Intellihence
      • And the leopard

        was trampled by the 800 pound gorilla...

        :)
        John Zern
        • Funny as it may seem John but your 800lb gorilla is losing weight .

          Don't be offended now , but isn't funny how you are showing up now after all the damage has been done to Microsoft's ego . Two flaws have shown up for your precious Vista already in less than a week . Awww , don't feel bad though , more issues will be surfacing for your bugged Vista OS .
          Intellihence
          • Better than 62

            Or there are those good ole Mega Patches.

            Not saying that one is better than the other, but Mac heads should direct their fingers towards mirrors if they plan on pointing and laughing about security.

            Why in the hell are we discussing this anyway, this deals with Opera
            nucrash
  • Just to set the record straight regarding these "Opera" issues

    1) Fix for character encoding inheritance issue with frames, which could enable cross-site scripting. [url=http://www.opera.com/support/search/view/855/]See advisory.[/url]

    This advisory, titled "Multiple Browsers Cross Domain Charset Inheritance Vulnerability" on the advisory website, affects Firefox <= 2.0.0.1, Internet Explorer 7 & Opera 9.

    2) Fixed an issue regarding handling of FTP PASV response.

    The FTP PASV issue affected all browsers that (ironically) implemented the PASV command correctly (Firefox, Opera 9, Konqueror, Safart etc). As the [url=http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf]original advisory[/url] states:

    [i]Opera 9.10 warns users when it&#8217;s about to follow a URL containing a username (e.g. ftp://myuser@10.0.0.1/). This makes the attack described on Firefox unsuitable: we can&#8217;t pass information about which port we&#8217;d like Opera to scan in the FTP username. We could hardcode a target IP address and Port into the FTP server, but further research is needed to determine if this sort of attack is useful in practise.[/i]

    And finally...

    Opera didn't "patch browser flaws", this is a new version of Opera. I find it odd that you omitted the rest of the changelogs, in particular the main points of the 9.20 release - Speed Dial feature and the Developer Tools.

    Come on Ryan, at least report the WHOLE story instead of trying to skew it into a security issue.

    For anyone that has an interest in the Opera browser, this is the FULL changelog:
    ------------------------------------------------------------
    [b][u]Changes Since Opera 9.10[/u][/b]

    [b]User interface[/b]

    - Changed keyboard shortcuts Ctrl + 0-9 to call speed dial entries. Panel activation shortcuts moved to Ctrl + Shift + 0-9
    - Kiosk mode defaults to not displaying Speed Dial. Added new kioskmode switch kioskspeeddial to enable feature.
    - Added thumbnails on hover in Windows panel.
    - Added support for automatic search from address bar when entering more than one word.
    - Start bar disabled by default.
    - Added support for animated GIF images in skins.

    [b]Mail, messaging, and newsfeeds[/b]

    - IRC /quit messages now work properly.
    - Transfer status on IRC improved.

    [b]Display and scripting[/b]

    - CSS height:inherit now inherits the computed value.
    - Scripts in framesets now execute onload.
    - Applets inserted with innerHTML can now be called by JavaScript.
    - Manipulating content inside about:blank will now change the address of about:blank to match that of the manipulating page.

    [b]Developer Tools[/b]

    - Introduction of developer tools.

    [b]Security[/b]

    - Fix for character encoding inheritance issue with frames, which could enable cross-site scripting. See the advisory.
    - Fixed an issue regarding handling of FTP PASV response, as reported by Mark at bindshell.net
    - XMLHttpRequest now treats separate ports on the same server as a different server. Issue reported by Egmont Koblinger.
    - Fixed an issue where scripts could continue to run after leaving the page, as reported by Herrmann Manuel.
    - Skandiabanken.no's message about successful certificate installation is now shown.

    [b]Miscellaneous[/b]

    - Multiple stability fixes.
    - Voluntary, anonymous usage statistics reporting feature added.
    - Flickr Organizr now works correctly in Opera.
    - Fullscreen movies on YouTube now start.
    - Images with broken exif data now display.
    - Saving big images should now work more reliably.
    - When specifying address:port without specifying the protocol, "http://" is once again inferred.
    - Added support for the optional "key" in BitTorrent tracker requests.
    Scrat
    • Looks to me like it could be...

      a security update mixed with some other things.. Pretty typical if you ask me.
      ju1ce
      • Opera has a history of this

        Yep, and Opera has a history of burying security patches and hiding flaw information when updates are rolled out.

        _ryan
        Ryan Naraine
        • Ouch! Bias much Ryan?

          Haha!
          You sound like a typical Mozilla fanboi now.

          Is you attack on Opera based, by any chance, on the fact that Opera's bug reporting system is not open like Bugzilla? If so, remember that Opera is not open source.

          If Opera deliberately hides flaw information, why do they post it in the changelogs?
          Scrat
          • Oh, and I forgot to add that Opera maintains a database of advisories

            http://www.opera.com/support/search/supsearch.dml?keyword=advisory&platformID=

            Damn those sneeky Opera developers for hiding that information out in the open on their website.

            They also openly [url=http://secunia.com/advisories/24877/]credit researches via Secunia.com[/url] as well. Damn the brilliant masking techniques of Opera ASA.
            Scrat
          • Security by PR is a big problem

            No man, I don't get myself into those silly camps where one product has to be promoted over another. I find those discussions interminably boring.

            It's an established fact that Opera uses "features" to mask security issues and handles disclosure by PR, rather than being upfront.

            See: http://blogs.securiteam.com/index.php/archives/794

            There's a reason vendors should be upfront about security and stop hiding behind features. Users might look at the list of new features and decide they're not worth the upgrade. When this happens, they're exposed to risk because they never knew about the security patches.

            Users shouldn't have to go searching for security information. It should be right htere, hitting them in the face. When PR/marketing handles security, we're all in trouble.

            _ryan
            Ryan Naraine
          • Glad to hear it Ryan, and sorry for the accusation.

            [i]"No man, I don't get myself into those silly camps where one product has to be promoted over another. I find those discussions interminably boring."[/i]

            I find them extremely annoying, but having been an Opera fan for a while, you get to hear the same criticisms and they usually belong to one camp or another.

            You are indeed correct in saying that marketing shouldn't handle security. Where I believe you are wrong is your assumption that this happens at Opera ASA. If what you say were true, hackers would be going out of their way to find vulnerabilities and zero-day them to embarress Opera, but that doesn't happen. Opera isn't simply REPORTED to be more secure than most, it IS. That's not to say that it doesn't have bugs / security issues, but they are few and far between compared to other flavours of web browser.

            I agree that the bug tracking system is annoying. I have reported bugs through the bug reporting wizard, and it is frustrating not knowing if a) the bug has been fixed or b) if the bug has been already reported. I guess the Opera team feel the trade-off is worth the criticism.
            Scrat
          • Sadly enought you are right

            If not for your post on the security advisories, I would have passed off on the upgrade due to the hassle.

            Although I am a bigger fan of Mozilla, Opera has become dominated my work computer. The Minefield build just frustrated me, so I switched over.
            nucrash
          • This I never knew about Opera...

            I just recently switched to Opera since it's finally able to display pages a little better.. .Although at times I do find myself thinking to switch back to Firefox. :)

            Who knows maybe I'll switch back but so far I've resisted.
            ju1ce
          • A quick test

            Go to http://news.google.com and run a quick search for news stories on this Opera upgrade. Just type in "Opera 9" and search for any mention of security patches.

            Did you find any? Ask yourself why...

            _r
            Ryan Naraine
          • Ryan, I think you are being over-critical here

            Considering:
            a) The number of users / market share / newsworthy articles regarding Opera, and
            b) The number of ACTUAL VULNERABILITIES which, regardless of whether they appear in Google News, DO appear on the securityfocus.com Bugtraq lists.

            The simple fact is that Opera is too small to report on, therefore most tech sites and tech bloggers simply don't bother. Your assumption that, because they do not appear on Google News, they must be covering up the truth is nothing short of ridiculous.

            Please Ryan, if you feel this strongly about this then get someone from Opera ON RECORD regarding this issue. I am not in a position to defend Opera against your criticisms (regardless of how accurate they may or may not be).

            Ju1ce, I would urge you to reconsider moving back to Firefox. Think about the recent .ANI vulnerability. IE - system pwned. FF - system pwned. Opera - .ANI vuln pwned. I know why I chose Opera!
            Scrat
          • I think because of Opera's small marketshare...

            It's doing the same thing Mozilla did in the beginning.. Touting security as the reason for switching which will bite them in the end like it's doing to Mozilla.

            The only reason I refuse to even look at IE7 unless it's a must is because I think ActiveX is a virus. :)
            ju1ce
        • So do most other software vendors... (NT)

          (NT)
          ju1ce
  • Opera More Secure than IE or FireFox

    Secunia monitors vulnerabilities in more than 9,500 products

    Opera - 100% Patched - (Every time I have checked over the years they have been 100% Patched. I check maybe 7-8 times per year.)

    Opera 9: http://secunia.com/product/10615/?task=statistics

    Opera 8: http://secunia.com/product/4932/?task=statistics

    IE - 78% UnPatched for current version - (I have never seen IE 100% patched when I periodically have checked over the years)

    IE 7: http://secunia.com/product/12366/?task=statistics

    IE 6: http://secunia.com/product/11/?task=statistics

    FireFox 1.X:
    http://secunia.com/product/4227/?task=statistics

    FireFox 2.X - 50% Unpached:
    http://secunia.com/product/12434/?task=statistics
    stds
    • But is it because of what Opera does according to...

      What Scrat and Ryan were discussing about PR?
      ju1ce