Unfortunately opera: is the new chrome:
Friday, 31. October 2008, 23:46:20
Opera 9.62 is out. Please make SURE you upgrade as soon as possible, as we've just fixed one of the worst security issues I can remember having seen in Opera.
A while ago security researchers were forcing Mozilla to play catch-up, while they were figuring out several ways web content could inject JavaScript in the chrome: context, meaning it would run with the privilege of the Firefox User Interface. At the time it seemed much safer to be Opera which does not have a JS/XUL-based UI.
Not so fast.. Some of Opera's features have now gravitated towards HTML+JS-based screens in pages shown with the opera: protocol. The most powerful one is opera:config, and since all opera: pages can interact, a minor XSS exploit in opera:historysearch became an extremely bad security problem.
So, opera: is the new chrome: and we have to deal with that and lock any opera: resource down accordingly.
A while ago security researchers were forcing Mozilla to play catch-up, while they were figuring out several ways web content could inject JavaScript in the chrome: context, meaning it would run with the privilege of the Firefox User Interface. At the time it seemed much safer to be Opera which does not have a JS/XUL-based UI.
Not so fast.. Some of Opera's features have now gravitated towards HTML+JS-based screens in pages shown with the opera: protocol. The most powerful one is opera:config, and since all opera: pages can interact, a minor XSS exploit in opera:historysearch became an extremely bad security problem.
So, opera: is the new chrome: and we have to deal with that and lock any opera: resource down accordingly.
WIDGETIZE
David # 31. October 2008, 23:55
Have a nice weekend!
Micheál Seosamh # 1. November 2008, 01:05
Dane # 1. November 2008, 03:10
I'd say most Opera users won't even bother with small incremental updates like this if there's not a really good reason to upgrade (like new features etc.), and the severity of this security problem is not indicated on the download page, so how many people will really care?
Haavard # 1. November 2008, 08:56
A.Ruzanov # 1. November 2008, 10:30
Btw, I think that disabling opera:config#UserPrefs|EnableconfigURL will help also.
Opera 9.62 (opera:allinone) Remote Code Execution Exploit PoC - it new vulnerability?
Haavard # 1. November 2008, 15:36
Anonymous # 1. November 2008, 20:26
http://www.milw0rm.com/exploits/6884
Opera 9.62 (opera:allinone) Remote Code Execution Exploit PoC
And another remote code execution exploit hits the just newly patched 9.62, thats after Opera shipped 3 major security related releases last month(October) 9.60, 9.61, 9.62.
Hallvord R. M. Steen # 1. November 2008, 22:14
This presumed "exploit" just proves that "NeoCoderz" doesn't understand what the problem was, and trust me - his "exploit code" in fact makes no sense AT ALL. Seriously - he's trying to "inject" code that will simply eval() a string which is the path to calc.exe - as if that would automagically change Opera's preferences or make Opera throw that path at the system and execute it. Totally clueless. (He even claims his "exploit" is "injecting" this code into pages that do not accept any input - like opera:plugins and opera:about.
Short version: 9.62 IS SAFE, there is no new exploit that works against it. We'll keep working on hardening opera: pages' security policies just in case, but several smart people spent much of last week reviewing and analyzing all pages generated under the opera: protocol before we gave 9.62 a green light and called it safe.
Dane # 2. November 2008, 12:26
also, it seems another point I was trying to make was
lost a bit:
Why is this blog the only page that warns about the severity of the problem? I don't think regular users will care about such a incremental release and the standard "This is a recommended security and stability update" line that comes with every such release is probably understating the issue... Shouldn't this be on the front page?
Hallvord R. M. Steen # 2. November 2008, 15:18
Well, in fact it isn't - there is a security advisory and some coverage on tech news sites - but I see your point. For important security updates we should probably be able to put a small banner across all Opera.com pages that appears only to users visiting with insecure Opera versions, for example.
I'll follow up your criticism internally.
João Eiras # 3. November 2008, 00:25
Originally posted by hallvors:
That's quite typical. Wannabee hackers that really don't know very well what they're doing, and instead of doing responsible bug reporting, they simply disclose the bug to get some credit from being script newbs.
FataL # 3. November 2008, 16:32
The cons I see:
- bad integration with rest of browser interface
- more space for security issues
- slower than native implementation
- hard to match a behaviour and look of native OS interface widgets
The only pros I see:Hallvord R. M. Steen # 3. November 2008, 21:08
FataL # 3. November 2008, 21:22
So, I think your point is pretty match the same as mine -- HTML interfaces are easier and quicker way to implement cross-platform.
I updated my comment by adding "cross-platform" to be more precise.