Unfortunately opera: is the new chrome:

Opera 9.62 is out. Please make SURE you upgrade as soon as possible, as we've just fixed one of the worst security issues I can remember having seen in Opera.

A while ago security researchers were forcing Mozilla to play catch-up, while they were figuring out several ways web content could inject JavaScript in the chrome: context, meaning it would run with the privilege of the Firefox User Interface. At the time it seemed much safer to be Opera which does not have a JS/XUL-based UI.

Not so fast.. Some of Opera's features have now gravitated towards HTML+JS-based screens in pages shown with the opera: protocol. The most powerful one is opera:config, and since all opera: pages can interact, a minor XSS exploit in opera:historysearch became an extremely bad security problem.

So, opera: is the new chrome: and we have to deal with that and lock any opera: resource down accordingly. 😦

Advertisements

14 thoughts on “Unfortunately opera: is the new chrome:

  1. Security problems like this are the most compelling argument to add an auto-update feature into Opera ASAP. Even though Firefox has more potential security problems because of extensions etc., their users are always automatically up-to-date with bug fixes.I'd say most Opera users won't even bother with small incremental updates like this if there's not a really good reason to upgrade (like new features etc.), and the severity of this security problem is not indicated on the download page, so how many people will really care?

  2. Please use the wishlist forum to post feature requests, OK? Derailing discussions with unrelated requests is only going to move the focus away from the actual issue.

  3. Anonymous: As haavard said, the page you link to does NOT show a new exploit against 9.62. The author of that exploit (with the nick "NeoCoderz") obviously tried the original proof of concept in 9.61 – so the injected JavaScript set his mailto: handler to calc.exe – then upgraded to 9.62. Since the mailto: handler is still calc.exe, every mailto: link will bring up the Windows calculator.This presumed "exploit" just proves that "NeoCoderz" doesn't understand what the problem was, and trust me – his "exploit code" in fact makes no sense AT ALL. Seriously – he's trying to "inject" code that will simply eval() a string which is the path to calc.exe – as if that would automagically change Opera's preferences or make Opera throw that path at the system and execute it. Totally clueless. (He even claims his "exploit" is "injecting" this code into pages that do not accept any input – like opera:plugins and opera:about. :doh: )Short version: 9.62 IS SAFE, there is no new exploit that works against it. We'll keep working on hardening opera: pages' security policies just in case, but several smart people spent much of last week reviewing and analyzing all pages generated under the opera: protocol before we gave 9.62 a green light and called it safe.

  4. @haavard: sorry, I felt mentioning the auto-update system was relevant to the topic… (and i already supported the wishlist request)also, it seems another point I was trying to make was lost a bit:Why is this blog the only page that warns about the severity of the problem? I don't think regular users will care about such a incremental release and the standard "This is a recommended security and stability update" line that comes with every such release is probably understating the issue… Shouldn't this be on the front page?

  5. Why is this blog the only page that warns about the severity of the problem?

    Well, in fact it isn't – there is a security advisory and some coverage on tech news sites – but I see your point. For important security updates we should probably be able to put a small banner across all Opera.com pages that appears only to users visiting with insecure Opera versions, for example. I'll follow up your criticism internally.

  6. Originally posted by hallvors:

    This presumed "exploit" just proves that "NeoCoderz" doesn't understand what the problem was, and trust me – his "exploit code" in fact makes no sense AT ALL.

    That's quite typical. Wannabee hackers that really don't know very well what they're doing, and instead of doing responsible bug reporting, they simply disclose the bug to get some credit from being script newbs.

  7. I always wandered what the positive sides of using HTML based interfaces?The cons I see:bad integration with rest of browser interfacemore space for security issuesslower than native implementationhard to match a behaviour and look of native OS interface widgetsThe only pros I see:more easy and fast way to develop some new features cross-platform

  8. automatically cross-platform UI

    Automatically cross-platform but not native to platform… ;)So, I think your point is pretty match the same as mine — HTML interfaces are easier and quicker way to implement cross-platform.I updated my comment by adding "cross-platform" to be more precise.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s