Security @ Opera

Shame on Jose A. Vazquez for exposing Opera users to this. Very Irresponsible..

He even tries to call himself a security expert, when he is just a dirty/lame hacker trying to make a name for himself....

He clearly fails to comprehend that a security expert would not have released details of a zero day.

nice work

So nice of you to put a blame on the guy who wanted to help you out and gave you the exploit half a year ago.

Too bad you didn't really "patch the hole" back then, otherwise how could he have the working version with minor modifications to the same exploit?

If he didn't release the thing, the hole still wouldn't be patched, waiting to be found (or maybe it was, we won't ever know) by someone with far less good intentions.

For me as a user, the act of releasing the exploit forces you to patch it and therefore makes me safer, so I'm grateful to Jose.

Now, with this post, you put yourself in a good light while making him the bad guy. It's all nice for your collective ego I suppose, but It kinda creates the image of opera being a douche to the security researchers because they didn't try hard enough to get your attention.

That in turn makes it less likely for you to be warned in the future, as they would probably be better of just selling the exploit on the russian malware trading portal for few thousand bucks instead of sending it to you and be blamed publicly after the hole is released by them or anyone else half a year later.

For me the whole incident and it's implications make Opera an inherently less secure browser for reasons stated above.

Personally I don't think security vulnerability disclosure is 'Irresponsible' - disclosure of any kind already great help for irresponsible program authors. Otherwise that vulnerability would be privately used for no one knows for how long. (Oh, Sever was faster and written nice explanation.)

BTW, new Opera installer is one huge security hole itself - as now there is no gui option to prevent Opera launch after upgrade (I hope the security implications are clear, if not - I can explain). Yes, there are obscure command line options to do that (and I use them) but it looks everything was done to prevent regular people from using such option.

Originally posted by sEveron:

Too bad you didn't really "patch the hole" back then, otherwise how could he have the working version with minor modifications to the same exploit?

Coming from a fellow Software Developer, and knowing how complex parsers can be, It's short-sighted to claim that just because one researcher reproduced something, that a Opera dev could've reproduced it exactly given the many different environmental variables.

It's like telling Toyota "Hey, btw, I've managed to have the brakes fail in my Blue toyota" Initial reaction is to look at the brakes in the latest line of Blue cars and see if there's an obvious defect, but you're going to ask very quickly "What year and make was it exactly?", security reporting is a 2 way street, Unless every specific detail is given in the initial report (and it's easy to miss one when reporting multiple items) it's sometimes hard to reproduce.

Originally posted by OperaCrashed:

Personally I don't think security vulnerability disclosure is 'Irresponsible' - disclosure of any kind already great help for irresponsible program authors.

You're correct, Disclosure is important for developers, but developers are only human. All humans make mistakes, and have oversights, it happens to the best of us. There's a difference between responsible disclosure and irresponsible disclosure.

Telling the cops there's going to be a robbery downtown is good and helpful if you have prior knowledge, but if you then ignore them and don't give any more details about whats actually going to happen.. well it's plain irresponsible. "Hey, I overheard XYZ saying they were going to rob a bank next week, they didn't say anything more specific though" is more responsible, or in this case "Hey, While servicing a clients computer, I stumbled across plans for a major terrorist attack targetting XYZ using ABC next week" Yes, Crime is a bad example, but it has similar set of responsible reporting.

The security reporter here obviously knew the correct thing to do, Contact the company affected, explain the problem, and give them adequate time to respond, unfortunately, they've not followed it up when they realised one vector was still exploitable (yes, it would've needed modifications simply due to Opera internals changing over time.. that's not part of the problem really) and subsequently made a irresponsible disclosure which could've impacted users.

I don't know the full story, none of us do, Perhaps the researcher did contact Opera afterwards, Perhaps the researcher didn't get the response (I've seen some report anonymously using fake email addresses - they're hard ones to follow up), perhaps the researcher replied via unreliable email and it just never showed up (Hey, it works 99.9999% of the time, but it's not registered mail or anything.. there's no recieved-ok flags.. always the potential for spam filters too, they're not perfect).

In the end, A bug was found, and information about how to exploit it was released publically, It's irresponsible, you don't go around telling people that someone left their door unlocked. Lay off Opera, it's probably not their complete fault, Humans are not 100%, and nor is software.

Hey Sever, you have to pick up my car and come get me....my life is in danger if you don't!
:Seeing my email you email back asking where my car is. But, I do not reply. The next day I tell everyone you know that your a wanker and a pickle sniffer cuz you didn't pick me up. Fair? Nope:

Sounds good Opera. Though, tbh, it'd really be dependent on how vigorously you pursued the lost communication. Opera had confirmed valid issues, thus raising the credibility of the source and 6 months seems a long time for a "security researcher" to sit on an exploit (unless they're expecting a patch?).

I don't know the conversion for press release kudos to Euros but I can't imagine it's much, thus the onus remains on Opera to do its best to keep up with security researchers when possible. Glad it was fixed, even with the bruises and scrapes.

Some researchers are just too eager to be famous, they could be heroes in a good way, but they chose not to be. No wonder those "researchers" play around the bugs of windows with microsoft, they could benefit from it financially.

Originally posted by sEveron:

Too bad you didn't really "patch the hole" back then, otherwise how could he have the working version with minor modifications to the same exploit?

Well, probably because it's simply not the same exploit, but just a very similar one.
The point is, if it is true what Opera says (what I strongly believe) then, how can you blame them? They asked the creator how the exploit worked (or something like that, as that is not always easy to see just given a "working" exploit) and he didn't react. So what should they do in your opinion?
Though, personally I guess it's all probably just some unlucky coincidence and he didn't receive their questions...

Originally posted by DD32:

security reporting is a 2 way street, Unless every specific detail is given in the initial report (and it's easy to miss one when reporting multiple items) it's sometimes hard to reproduce.

And whose exactly RESPONSIBILITY you think it is to put EFFORT into communicating over such issues?

Took me a minute to find Jose's twitter here, yo: http://twitter.com/#!/0xde1

Now tell me that Opera put a proper amount of effort to find the guy and communicate with him on the issue instead of assuming it's not a problem cause they "couldn't reproduce it".

1. They failed to understand the issue.
2. They failed to communicate with the researcher who found it.
3. They failed to admit 2 above fails, and blamed the researcher, therefore making it less likely for people to cooperate with them, putting us all at risk.

Of course we are all humans and make mistakes, but we can choose to work on fixing these mistakes, or we can choose to blame others for not working with us on fixing them. Like Opera did.

Instead of thanking for his research and sending him a check, they've chose to blame him for releasing the exploit to the public. Not very encouraging for other researchers to try and help them out.

The release did not put as at risk, we were at risk all the time. Jose did us a favor, because obviously Opera failed to communicate about the issue with him, and releasing it publicly was the sure way to get thing fixed pronto regardless of Opera team inability to communicate properly.

This way we have the hole patched, thanks to Jose's release.

In next half a year, someone else would find and use the exploit without noticing anyone, sell it to spammers who would use it to infect our machines with spam-sending malware.

In the end, I could accept Opera inability to communicate with independent specialists, I do accept Opera making mistakes.

But I cannot accept how they damage their relations with security community by handling it the way they did.

As I stated above, blaming the researcher for making them fix things makes it less likely for future exploits to be handled properly. This is the damage we all receive here.

It seems that this was a communication problem. So I would make your bug-tracking system more transparent. With the current system noone can see the listed bugs and no complex discussion can be started.

Nice fast patch time

Sever: We have no way of knowing if it was Jose Vazquez who found the bug we were told about 6 months ago. We have no record of any communication with Jose Vazquez (or his name) in our files. The first time his name came up was last week, there would have been no way for us to contact him before.

The bug we were told about was fixed, and we checked for any variants. Unfortunately, it sometimes happens that one can miss a variant of a bug, which we did in this case. I would love it if we somehow found a way to find every possible bug in Opera before releasing. Even though we try very hard, we still fail at this Luckily, when we are notified of bad bugs, we are able to fix them quickly, as in this case.

6 months ago we were contacted by a security group, who passed on several old crashers. The security group had not found the crashers themselves, and did not pass on the name of the finder (both of which is quite normal). They were not able to get any more information about the crashers than the initial reports. They seem to have done some testing themselves, which confirmed what we had found ourselves.

I do not know anything about any communication between the finder and the security group.

I do not know anything about what happened in the 6 months between when the original variant of this bug was appearantly found, and when it was passed on to us by a third party.

Irresponsible disclosure puts users at risk, but allows us to fix the issue, so is better than no disclosure at all (or selling the issue to the black market). However, responsible disclosure will also get the issue fixed, without putting users at risk, so we greatly prefer this. Had we been notified of this issue earlier, we would also have fixed it earier.

@Sever:
A twitter account that had been dormant for 10 months until a few days ago when the 0-day was released?

Also, in an article linked by said twitter:

Vázquez thinks that the Opera developers might have tested his version 10.6 exploit with the current version 11.x, which may have caused the exploit to malfunction. Instead of contacting Opera again, Vázquez has adapted the exploit for the current version 11.51 of Opera and has released it as a Metasploit module. This means that, in principle, anyone can now exploit the vulnerability.

That fits the pattern Opera are describing. Add the very real possibility of inadequate contact details and what more exactly should Opera have done? Unless you're calling this version of events outright lies — in which case I can't ever see any discussion in these comments reaching an accord.

The wording of the report is clearly sensationalistic and doesn't sound like it comes from a reputable source. I smelled bad intentions at the first sentence. This has clearly been done on purpose, to try to damage Opera's reputation. If things had been done with seriousness and responsibility, rest assured that the tone of the report would be much drier.

@Sever

Lack of reading skills on your part?

We passed these details back to the research group, asking for more details about the remaining issue that we could not reproduce, despite extensive testing, in the then-current Opera release. Among other things, we asked if there was a known way to reproduce it in then-current Opera releases. No further information could be obtained.

I gather from this not a lack of trying on Opera Software's part. I also don't read this as 'we couldn't reach him and thought it worthless to find him' but as 'we asked, got no answer'. What should they have done, send in the Marines, haul they guy to some Black Op's center for "enhanced interrogation" by some third-world militia?

The only thing we can rely on from the info we have is that there was some communications problem. It could be Opera worded there request a bit problematic, making it seem like they attacked the researcher, which led him to shut up 'and show them'. It could be, he simply didn't see the request or was busy finding other exploitable holes in some other software. Or he was getting married, hence wasn't interested in software ...

For the time being I wouldn't blame either the researcher or OS.

Originally posted by sEveron:

So nice of you to put a blame on the guy who wanted to help you out and gave you the exploit half a year ago.

But he didn't. It wasn't even reproducible in the latest version at the time, as the guy even admitted to on his own blog. And when he was contacted for details he never responded.

Too bad you didn't really "patch the hole" back then, otherwise how could he have the working version with minor modifications to the same exploit?

The reported holes were patched.

If he didn't release the thing, the hole still wouldn't be patched, waiting to be found (or maybe it was, we won't ever know) by someone with far less good intentions.

Actually, he could have disclosed it responsibly. Instead he decided to lie and publish it to the world.

Now, with this post, you put yourself in a good light while making him the bad guy. It's all nice for your collective ego I suppose, but It kinda creates the image of opera being a douche to the security researchers because they didn't try hard enough to get your attention.

Actually, Opera did ask the guy to supply all the details, but instead of doing that he sat on it for a few months and then released it out of the blue.

The "researcher" is the true douchebag here. He didn't reveal any relevant details, but instead kept working on it in secret.

Why did it take him several months to release this zero-day if it was a valid issue even back then?

For me the whole incident and it's implications make Opera an inherently less secure browser for reasons stated above.

Then again, you are basing your opinion on misunderstandings and lies.

Originally posted by sEveron:

And whose exactly RESPONSIBILITY you think it is to put EFFORT into communicating over such issues?

How can you communicate with someone who does not reply? The blog post clearly states that Opera contacted the reporter and asked.

1. They failed to understand the issue.
2. They failed to communicate with the researcher who found it.
3. They failed to admit 2 above fails, and blamed the researcher, therefore making it less likely for people to cooperate with them, putting us all at risk.

1. The issue was not reproducible, and had to be modified to actually be exploitable
2. The researcher failed to provide details when he was asked about them
3. The failures were the reporter's for tweaking the exploit and waiting for several months until zero-daying Opera because he realized it couldn't be exploited in the version at the time, so he spent his time tweaking it until it could and then released it irresponsibly.

Instead of thanking for his research and sending him a check, they've chose to blame him for releasing the exploit to the public. Not very encouraging for other researchers to try and help them out.

He published irresponsibly. Vendors don't credit people who do that, so stop pretending like Opera did something wrong.

The release did not put as at risk, we were at risk all the time. Jose did us a favor, because obviously Opera failed to communicate about the issue with him, and releasing it publicly was the sure way to get thing fixed pronto regardless of Opera team inability to communicate properly.

This is a lie. Opera does communicate promptly and properly with reporters. It's just that he refused to communicate. The hole would have been patched safely had the reporter reported it responsibly.

But I cannot accept how they damage their relations with security community by handling it the way they did.

This has got nothing to do with the security community. It has everything to do with a guy who sat on an exploit for months, lied, and zero-dayed a vendor.

As I stated above, blaming the researcher for making them fix things makes it less likely for future exploits to be handled properly. This is the damage we all receive here.

The researcher wasn't "blamed for making them fix things." He was blamed for being irresponsible when disclosing the issue.

Stop being so damn dishonest.

Originally posted by K4m1K4tz3:

It seems that this was a communication problem. So I would make your bug-tracking system more transparent. With the current system noone can see the listed bugs and no complex discussion can be started.

The same goes for Mozilla and other browser companies. Security bugs are restricted. So this is not the time or place to argue about opening the bug tracking system. It wouldn't make a difference for security bugs.

Originally posted by DD32:

Yes, Crime is a bad example, but it has similar set of responsible reporting.

How about making example closer? There is bank with multiple holes it its safe that is exposed to backyard that no one guards. Someone stumbles upon them and tells the bank privately first. After half a year he again stumbles upon a hole in what looks to him as exactly the same place. Now he announce it publicly and instantly got blamed by the bank how irresponsible that announcement was.

Again, researcher has exactly zero responsibility over Opera vulnerability. He does not work for Opera, nor he agreed to research something for Opera.

Originally posted by slalaurette:

This has clearly been done on purpose, to try to damage Opera's reputation.

What damaged Opera's reputation in my eyes was not the announcement of vulnerability but the Opera's response: "You know, there was open security hole for a year; but we are not the ones to blame - the irresponsible one is who published information about the vulnerability".

Originally posted by OperaCrashed:

How about making example closer? There is bank with multiple holes it its safe that is exposed to backyard that no one guards. Someone stumbles upon them and tells the bank privately first.

No, that's a terrible example.

All he actually tells them is "there's something wrong with your bank or the property it's on" but actually it was the old gate that was broken. At the time he reported the problem with the old gate, however, the bank had gotten a new gate which was not broken in the same way. When the bank gets back to him to ask him what exactly is broken, he doesn't tell them.

After half a year he again stumbles upon a hole in what looks to him as exactly the same place. Now he announce it publicly and instantly got blamed by the bank how irresponsible that announcement was.

After half a year he sees a new problem with the new gate, and instead of reporting it to the bank (even vaguely, as in "there's something wrong somewhere on your property"), he just puts up a sign pointing everyone to it instead.

Why couldn't he have told the bank directly the first time? If we ignore the fact that the hole wasn't there at the time, of course.

Again, researcher has exactly zero responsibility over Opera vulnerability. He does not work for Opera, nor he agreed to research something for Opera.

That doesn't change the fact that:

"This has clearly been done on purpose, to try to damage Opera's reputation."

Originally posted by Chirpie:

At the time he reported the problem with the old gate, however, the bank had gotten a new gate which was not broken in the same way.

Wrong. It was the same gate, just with different number on it and one hole closed. It seems like Opera did not completely rewrite that place - just patched something.

Originally posted by Chirpie:

That doesn't change the fact that:

"This has clearly been done on purpose, to try to damage Opera's reputation."

If you are replying to me - how about quoting me here fully and replaying to that?

Originally posted by OperaCrashed:

Wrong. It was the same gate, just with different number on it and one hole closed. It seems like Opera did not completely rewrite that place - just patched something.

It doesn't matter if it was the same gate or not. The point is that all he told them was "it's somewhere on your property" and that's it. The point is that it was incredibly vague, and he refused to explain in more detail.

And the fact is that the hole was NOT in the stable version at the time, but he found a NEW hole in the most recent version. So not only did he refuse to tell them where this hole was supposed to be, but he lied and claimed that a NEW hold was the same as the one he refused to describe properly.

I knew you would fix this problem. Congratulations to all of Opera Software, continue doing this great work.

The fix landed only a day after I heard about the problem. This "researcher" should be watching the safety of his own site, some security experts are unkind to a person with no respect for due procedure.

Originally posted by hellspork:

. This "researcher" should be watching the safety of his own site

The other issue about making a 0 day public is that you put thousands of people at risk

Opera should start giving money for critical bugs (like Google does with Chrome). This will give motivation for people to be more responsible

p.s.: i don't think it was done to damage Opera's reputation, but rather to boost guy's own ego.

Is the code exploitable if the DEP is on ?

according to the review no.

Originally posted by sEveron:

Took me a minute to find Jose's twitter here, yo: http://twitter.com/#!/0xde1

Discussing a security bug over twitter might not be wise.

Originally posted by K4m1K4tz3:

It seems that this was a communication problem. So I would make your bug-tracking system more transparent. With the current system noone can see the listed bugs and no complex discussion can be started.

I give a http://files.myopera.com/Tamil/Smilies/ThumbsUp.gif - for that idea.

Originally posted by c69:

Opera should start giving money for critical bugs (like Google does with Chrome).

Also a good idea even if it is a small reward.

Originally posted by icare:

Is the code exploitable if the DEP is on ?

Yes it is.

How Opera dealt with this situation is quite disappointing.

Rather than complaining about irresponsible disclosure, Opera should apologize to the community of users, thank the reporter, and work to improve their response time.

Originally posted by c69:

Opera should start giving money for critical bugs (like Google does with Chrome).

Not to good tho as people will want more money based on such and such attack, and then that also costs a lot of money

Originally posted by clarity0:

How Opera dealt with this situation is quite disappointing.

Rather than complaining about irresponsible disclosure, Opera should apologize to the community of users, thank the reporter, and work to improve their response time.

Exactly my thoughts. The whole thing feels as if Opera believed they're entitled to the researcher's work and cooperation. They should be the ones trying their best to communicate on this till it's solved, not rest with "no info could be acquired".

Originally posted by Chas4:

Originally posted by c69:

Opera should start giving money for critical bugs (like Google does with Chrome).

Not to good tho as people will want more money based on such and such attack, and then that also costs a lot of money

Is it better to be cheap and have bad press after beeing zero-day'ed?

Originally posted by sEveron:

Is it better to be cheap and have bad press after beeing zero-day'ed?

Paying for holes sends a different message, if Microsoft did that with IE they would lose huge money (they have 4 different version right now being supported), software is never perfect.

And Opera had a very fast response time, it was less than a day for the patch to come out, after the code was public. And this would bring no bad press as it was patched so fast just like the last one was. Opera is also know for being the most secure, Symantec has even said so

I doubt people who report want money - even in this case who is interested in exploiting such vulnerabilities will offer more anyway.

In case I reported something like that I would like the most clear status: Confirmed/Not confirmed/Duplicate/Resolved. Ideally also estimated time of resolving: ASAP/Next stable branch/Sometime in the future.

Originally posted by OperaCrashed:

In case I reported something like that I would like the most clear status: Confirmed/Not confirmed/Duplicate/Resolved. Ideally also estimated time of resolving: ASAP/Next stable branch/Sometime in the future.

This is the type of information we do provide to people that report exploits and follow the conduct of responsible disclosure :-)

Originally posted by Chas4:

And Opera had a very fast response time, it was less than a day for the patch to come out, after the code was public.

It was more like a week since he posted the code on October 10, though that's still pretty quick.

Originally posted by Chas4:

And Opera had a very fast response time, it was less than a day for the patch to come out, after the code was public. And this would bring no bad press as it was patched so fast just like the last one was. Opera is also know for being the most secure,

Yes, publicly disclosed reports with lots of media attention tend to do that. Though "less than a day" is not accurate. Seems to argue for the so-called "irresponsible" disclosure. Otherwise you might have to wait 6 months.

The guy who posted the exploit has made some interesting claims on twitter, including that the exploit still works after the patch: https://twitter.com/#!/0xde1/status/126696242838388736

Originally posted by Astrophizz:

The guy who posted the exploit has made some interesting claims on twitter, including that the exploit still works after the patch: https://twitter.com/#!/0xde1/status/126696242838388736

Gods help Opera if that's true.

Originally posted by sEveron:

Originally posted by Astrophizz:

The guy who posted the exploit has made some interesting claims on twitter, including that the exploit still works after the patch: https://twitter.com/#!/0xde1/status/126696242838388736" target="_blank">https://twitter.com/#!/0xde1/status/126696242838388736

Gods help Opera if that's true.

Are you two years old? Your drama queen hyperbole? In the unlikely event there is a problem, I'm sure Opera will take care of it. The world won't end.

Originally posted by BernG:

Originally posted by sEveron:

...
Gods help Opera if that's true.

Are you two years old? Your drama queen hyperbole? In the unlikely event there is a problem, I'm sure Opera will take care of it. The world won't end.

Personal assault like a boss, huh? Very mature, I congratulate.

Just saying....if he has more than one trick and rolls them out separately....he'll be making a lot of enemies. Nobody respects a "researcher" who doesn't lay his cards on the table, and eventually his own security will be "tested". It is bad news for every one and it will be HIS fault if something actually happens.

He seems to be expecting Opera to find all of the exploit permutations on their own rather than working with them :/

Originally posted by sEveron:

Gods help Opera if that's true.

https://twitter.com/0xde1/status/126853263604719616 More recent tweet

Ah, I see, thanks Chas4. I based my interpretation off of the timestamp of his tweet relative to when 11.52 was posted.

Originally posted by clarity0:

How Opera dealt with this situation is quite disappointing.

Rather than complaining about irresponsible disclosure, Opera should apologize to the community of users, thank the reporter, and work to improve their response time.

Actually, the problem is that the reporter lied about Opera ignoring the problem. Opera merely set the record straight and pointed out that the liar is lying. It's idiotic to blame Opera in public and lie about it. He lied. He got called out on it. Now you are whining about a liar being exposed? Pathetic.

Yes, publicly disclosed reports with lots of media attention tend to do that. Though "less than a day" is not accurate. Seems to argue for the so-called "irresponsible" disclosure. Otherwise you might have to wait 6 months.

Actually, Opera is always fast when fixing critical vulnerabilities.

Are you and the reporter the same guy? You are both liars, at least.

Originally posted by sEveron:

Exactly my thoughts. The whole thing feels as if Opera believed they're entitled to the researcher's work and cooperation. They should be the ones trying their best to communicate on this till it's solved, not rest with "no info could be acquired".

Of course Opera is entitled to the researcher's work and cooperation. He voluntarily gave it up to them originally.

Then he decided that he wanted publicity, so he found a new vulnerability, lied about it being an old one, and created a whole series of lies to get fame and fortune out of lying about Opera.

Opera actively tried to get more information. Nothing was given to them, most likely because the vulnerability was already fixed in the stable version at the time. After all, the 0-day was a new attack vector.

But you already know all of this, so why are you still lying about it?

Personal assault like a boss, huh? Very mature, I congratulate.

You keep trying to lie and create drama. Maybe if you stop your immature lies and drama, someone will take you seriously.

Dear Opera, there does not appear to be a way to completely disable SVG so I have to ask: "How do you completely disable SVG in Opera v11.52?"

A few days before the release of Opera v11.52 I read a USENET article about the SVG exploit in Opera v11.51. I immediately began to wade, then flounder and sink, through the assorted options in Opera Preferences and in opera:config. There does not appear to be a simple, 100% On/Off switch for SVG content.

A web search hinted that
Preferences|Advanced|Content|Enable animated images [ ]
would disable the animated GIF and SVG.

That seemed simple enough until I put "SVG" in the Find field in opera:config and it found:

Cache|SVGCacheSize

SVG|RenderingQuality
SVG|TargetFramerate

Default SVGCacheSize=40960
Default RenderingQuality=25
Default TargetFramerate=29


So, now I don't know if disabling animated images in Preferences|Advanced|Content actually does or does not have anything at all to do with SVG and will actually prevent an SVG exploit.


In opera:config I set and saved:

SVGCacheSize=0
RenderingQuality=0
TargetFramerate=1

The TargetFramerate by the way quite helpfully appears to accept, save and then display a setting of 0 but it automatically and invisibly resets itself to 29 and there is no warning or error message.

When Opera is shut down and restarted the TargetFramerate is once again 29 and only then is there a clue that 0 is not a valid TargetFramerate. I have not tried to set or save any of the negative numbers offered but it does appear to accept, save and display a framerate setting of 1 that persists through a shutdown and restart of Opera.

If I have correctly understood the SVG settings and the SVG exploit is still exploitable then it will be an un-animated, uncached, very poor quality exploit but it will still be able to exploit the system either one frame at a time or once per second.

"How do you completely disable SVG in Opera v11.52?"