Opera Denies SVG Patch Accusations
With the release of Opera 11.52, Norwegian browser maker has fixed a security vulnerability, which enabled hackers to execute the arbitrary code through the SVG font manipulation.
There is one issue though, José A. Vázquez, security researcher from Spain has made this exploit public 10 days ago, putting Opera users at risk.
According to José, he has discovered the issue 372 days ago and immediately reported it to Opera Software. Unfortunately, it was never fixed. Seeing no light at the end of the tunnel, security researched had no choice but to make such exploit public.
Why did Opera Software refused to fix the issue? According to one of the employees, despite the excessive testing, they weren’t been able to reproduce the issue and have contacted José to obtain more information. However, they never received any new details.
And that brings us to today. If Opera claims are to be believed, the original researcher has found a new way to modify the vector, so the current versions of Opera could be exploited, but he never sent such information for the Opera Software employees to check out.
Whether or not such claims are true, it remains to be seen. Just don’t hold your breath, as we are unlikely to ever find out the truth.
About (Author Profile)
Vygantas is a former web designer whose projects are used by companies such as AMD, NVIDIA and departed Westood Studios. Being passionate about software, Vygantas began his journalism career back in 2007 when he founded FavBrowser.com. Having said that, he is also an adrenaline junkie who enjoys good books, fitness activities and Forex trading.
Opera has a good record of releasing patches quickly until its proven otherwise I’ll believe their version of events over a researcher who’s probably just after his 10 minutes of fame.
José A. Vázquez has a blog at http://spa-s3c.blogspot.com/ heres a quote
“Update (2011/10/17): I want to explain that I do not have an exact date when Opera was reported. As I’ve explained in my report in spanish, probably it was 10 months ago. By the way, note that they fixed the known as “frameset exploit” in May. However, all the vulnerabilities were reported together.”
Opera failing to fix a vulnerability that they were alerted to over 372 days ago sounds really bad.
If it was 10 months ago it sounds bad
Six months ago not so bad especially if Opera were unable to reproduce the issue.
They didn’t fail to fix it because it was already fixed in the latest version. That’s why Jose had to go back to the drawing board and change the exploit (come up with a new exploit), and he finally got it working in 11.5x.
Opera never failed to fix a vulnerability. The new vulnerability was fixed within a week of the code being published on the web.
Try it for yourself. The exploit still fails in the old version of Opera. This proves that it’s a new one, so his claim is a lie.
FACEPALM.
Come one!
In one section you write that Researches sent info, then Opera tested it, and after failure to reproduce bug, sent request for more info. Then Researcher did not responded.
Then you interpret it as Researcher who found bug, but DID NOT reported it to Opera.
Insted Opera claim that they could not get more info, despite asking about it!
6m is as bad as 10m or as bad as 372d!
Hmmm… What to believe a security researcher I’ve never heard of … or … opera that has a very good record of patching stuff… I think I’ll go for Opera. It wouldn’t surprise me if the ‘security researcher’ is only after self promotion or something like that…
Besides can’t patch a bug if you ask for details, but don’t get anything…
Deleted
Opera (Mac) has a huge bug that I’ve reported to them but still remains.
Let’s say you find a link to a file you want to save to a folder and you want to name that folder with some text on that page, you can’t do it.
Go to any web page and highlight and copy some text. Now find a link on that page and control-click it. Select “Save Linked Content As…” and in the resulting dialog click the New Folder button. In the resulting dialog, try to paste the text you previously copied. You can’t do it.
This bug has been around for a long time and I’ve attempted to bring it to Opera’s attention with no success.
Aha. The relevance being?
who gives a damn, opera is a such a joke
Apparently you when you commented here,and the only joke i see here is your comment.
apparently some piece of software means so much to some people, they zealously try to protect its name… pathetic
He didn’t try to protect its name (he never even mentioned the browser). He merely pointed out your self-contradictory stupidity.
ok, your comment was too geeky for me to undersand it, if you want to win this so important for you argument on the internet, i will let you, because i dont give a damn
Whats this about you letting him win the argument ? since when has a troll ever had a chance to win an argument