Opera denies ignoring critical font manipulation vulnerability

Opera Software spars with a security researcher over (ir)responsible disclosure of a critical security vulnerability.

Opera has shipped a fix for a dangerous font manipulation vulnerability in its Web browser but the company is dismissing talk that it originally declined to address the problem.

The vulnerability, rated "critical," could allow remote code execution attacks.

From Opera's advisory:

Certain font manipulations inside a dynamically added and specifically embedded SVG image can cause Opera to crash. Additional techniques can reliably be used in combination with this crash to allow execution of arbitrary code.

The issue is now fixed in Opera 11.52 for Windows, Mac and Linux users.

The patch comes on the heels of an advisory from researcher Jose Vazquez that claims the flaw was reported to Opera 362 days ago.  "They have decided not to fix it," Vazquez said, a decision that prompted his release of a proof-of-concept exploit.

However, in a blog post accompanying the security update, Opera's Sigbjørn Vik accused the researcher of being irresponsible.

Here's the gist of Opera's response:

About 6 months ago (in April 2011), we were contacted by a security research group, on behalf of a researcher, giving details of a handful of bugs and issues that could be demonstrated in old releases of Opera. We confirmed most of these in the then-current releases and fixed the exploitable ones. These fixes were released in a regular security update, Opera 11.11.

follow Ryan Naraine on twitter

We passed these details back to the research group, asking for more details about the remaining issue that we could not reproduce, despite extensive testing, in the then-current Opera release. Among other things, we asked if there was a known way to reproduce it in then-current Opera releases. No further information could be obtained.

Fast-forward 6 months, and we find out that a researcher - presumably the same original researcher - has found a way to modify the vector, so current Opera releases could be exploited. We received no details about this modified vector until the details of it were made public, effectively putting our users at risk from the issue, without us immediately having any way to protect them.

At Opera, we advocate responsible disclosure, and would certainly have preferred to receive details of the modified vector before it was made public, so we could prepare a fix and coordinate the disclosure.

If you use the Opera browser, be sure to apply this update.