About the SVG font manipulation vulnerability that was fixed in 11.52
By Sigbjørn VikSigbjorn. Wednesday, October 19, 2011 8:18:02 AM
At Opera, we take security very seriously, and you can be sure that we would not choose to ignore exploitable security vulnerabilities.
With our release today of Opera 11.52, we now have a fix available for this issue, but we want to shed more light onto what happened, as well as explain why we both ask for - and practice - responsible disclosure.
About 6 months ago (in April 2011), we were contacted by a security research group, on behalf of a researcher, giving details of a handful of bugs and issues that could be demonstrated in old releases of Opera. We confirmed most of these in the then-current releases and fixed the exploitable ones. These fixes were released in a regular security update, Opera 11.11.
We passed these details back to the research group, asking for more details about the remaining issue that we could not reproduce, despite extensive testing, in the then-current Opera release. Among other things, we asked if there was a known way to reproduce it in then-current Opera releases. No further information could be obtained.
Fast-forward 6 months, and we find out that a researcher - presumably the same original researcher - has found a way to modify the vector, so current Opera releases could be exploited. We received no details about this modified vector until the details of it were made public, effectively putting our users at risk from the issue, without us immediately having any way to protect them.
At Opera, we advocate responsible disclosure, and would certainly have preferred to receive details of the modified vector before it was made public, so we could prepare a fix and coordinate the disclosure.
Unfortunately, to the extent of our knowledge, that did not happen on this occasion.
Among our suggestions in our article about reporting security issues we have the following recommendations:
Identify which version(s) of Opera you have tested, including which operating system versions. At least one of the tested versions should be the most recent release for the affected platforms.
Document what is needed to replicate the problem with a step-by-step procedure which includes the source code or command line operations
We recommend that if you are planning to publish your report, the information you submit to us must at least include all of the information you are going to publish, preferably more. We have occasionally received reports that contained very limited information compared with what was eventually published, and therefore it was only after publication we were able to understand the true severity of the problem.
In this case, the issue had only been confirmed for older versions of Opera, not the current version, at the time of it being reported, and the recently published information contained details that were not included in the original report, and which appear to be relevant to reproducing the issue.
With our release today of Opera 11.52, we have a fix available for this issue, less than a week after being made aware of the relevant details.
Other researchers responsibly disclosed their bug reports, such as Roberto Suggi Liverani from Security Assessment, who uncovered a particularly concerning crash bug, allowing us to fix it for 11.52 (even though our analysis did not find any way to exploit it). We thank him and others for helping us keep our users secure on the Web.
We recommend that all Opera users download and install this newest version.