Opera Denies SVG Patch Accusations

By | October 20, 2011

Opera Denies SVG Patch AccusationsWith the release of Opera 11.52, Norwegian browser maker has fixed a security vulnerability, which enabled hackers to execute the arbitrary code through the SVG font manipulation.

There is one issue though, José A. Vázquez, security researcher from Spain has made this exploit public 10 days ago, putting Opera users at risk.

According to José, he has discovered the issue 372 days ago and immediately reported it to Opera Software. Unfortunately, it was never fixed. Seeing no light at the end of the tunnel, security researched had no choice but to make such exploit public.

Why did Opera Software refused to fix the issue? According to one of the employees, despite the excessive testing, they weren’t been able to reproduce the issue and have contacted José to obtain more information. However, they never received any new details.

And that brings us to today. If Opera claims are to be believed, the original researcher has found a new way to modify the vector, so the current versions of Opera could be exploited, but he never sent such information for the Opera Software employees to check out.

Whether or not such claims are true, it remains to be seen. Just don’t hold your breath, as we are unlikely to ever find out the truth.

About (Author Profile)

Vygantas is a former web designer whose projects are used by companies such as AMD, NVIDIA and departed Westood Studios. Being passionate about software, Vygantas began his journalism career back in 2007 when he founded FavBrowser.com. Having said that, he is also an adrenaline junkie who enjoys good books, fitness activities and Forex trading.

Comments (14)

Trackback URL | Comments RSS Feed

  1. Mikah says:

    Opera has a good record of releasing patches quickly until its proven otherwise I’ll believe their version of events over a researcher who’s probably just after his 10 minutes of fame.

  2. Mikah says:

    José A. Vázquez has a blog at http://spa-s3c.blogspot.com/  heres a quote
    “Update (2011/10/17): I want to explain that I do not have an exact date when Opera was reported. As I’ve explained in my report in spanish, probably it was 10 months ago. By the way, note that they fixed the known as “frameset exploit” in May. However, all the vulnerabilities were reported together.”

    Opera failing to fix a vulnerability that they were alerted to over 372 days ago sounds really bad.
    If it was 10 months ago it sounds bad 
    Six months ago not so bad  especially if Opera were unable to reproduce the issue.

    • joe says:

      They didn’t fail to fix it because it was already fixed in the latest version. That’s why Jose had to go back to the drawing board and change the exploit (come up with a new exploit), and he finally got it working in 11.5x.

      Opera never failed to fix a vulnerability. The new vulnerability was fixed within a week of the code being published on the web.

      Try it for yourself. The exploit still fails in the old version of Opera. This proves that it’s a new one, so his claim is a lie.

  3. przemo_li says:


    Come one!

    In one section you write that Researches sent info, then Opera tested it, and after failure to reproduce bug, sent request for more info. Then Researcher did not responded.

    Then you interpret it as Researcher who found bug, but DID NOT reported it to Opera.

    Insted Opera claim that they could not get more info, despite asking about it!

    6m is as bad as 10m or as bad as 372d!

  4. Sirnh1 says:

    Hmmm… What to believe a security researcher I’ve never heard of … or … opera that has a very good record of patching stuff… I think I’ll go for Opera. It wouldn’t surprise me if the ‘security researcher’ is only after self promotion or something like that…

    Besides can’t patch a bug if you ask for details, but don’t get anything…

  5. Mac_Karma says:

    Opera (Mac) has a huge bug that I’ve reported to them but still remains.

    Let’s say you find a link to a file you want to save to a folder and you want to name that folder with some text on that page, you can’t do it.

    Go to any web page and highlight and copy some text. Now find a link on that page and control-click it. Select “Save Linked Content As…” and in the resulting dialog click the New Folder button. In the resulting dialog, try to paste the text you previously copied. You can’t do it.

    This bug has been around for a long time and I’ve attempted to bring it to Opera’s attention with no success.

  6. Gnfdmdk says:

    who gives a damn, opera is a such a joke

    • Scorpion3003 says:

      Apparently you when you commented here,and the only joke i see here is your comment.

      • Gnfdmdk says:

        apparently some piece of software means so much to some people, they zealously try to protect its name… pathetic

        • joe says:

          He didn’t try to protect its name (he never even mentioned the browser). He merely pointed out your self-contradictory stupidity.

          • Gnfdmdk says:

            ok, your comment was too geeky for me to undersand it, if you want to win this so important for you argument on the internet, i will let you, because i dont give a damn

          • Mikah says:

            Whats this about you letting him win the argument ?  since when has a troll ever had a chance to win an argument