Opera denies refusing to patch critical vulnerability

An error in the way Opera handles Scalable Vector Graphics (SVG) files can lead to arbitrary code execution

Lucian Constantin (IDG News Service)
20 October, 2011 23:58
Comments

Opera Software has released an update for its desktop browser in order to address a critical vulnerability in its handling of Scalable Vector Graphics (SVG) files, disclosed a week ago. The company denies refusing to patch the flaw when it was brought to its attention earlier this year.

Security researcher José A. Vázquez stirred controversy at the beginning of last week when he released proof-of-concept exploit code for an unpatched vulnerability in Opera.

Making security issues public without notifying affected vendors in advance is generally frowned upon in the security community, but is not particularly uncommon. However, in this case, the researcher claims to have tried acting responsibly without success.

"In this post, I do the release of an issue that I discovered 362 days ago and it was reported to Opera using the SSD program (SecuriTeam Secure Disclosure), but they have decided not to fix it," Vázquez said on his blog on Oct. 10.

The issue stems from an error in Opera's SVG handling code which can be exploited to execute arbitrary code by tricking victims into loading specially crafted SVG images with malformed fonts.

Opera admits being alerted about the flaw six months ago, as part of a larger report, but, it claims that it couldn't replicate the issue at the time. According to the vendor, its attempts to obtain more information from the researcher at the time weren't successful.

"In this case, the issue had only been confirmed for older versions of Opera, not the current version, at the time of it being reported, and the recently published information contained details that were not included in the original report, and which appear to be relevant to reproducing the issue," Opera quality assurance engineer Sigbjørn Vik said Wednesday.

"With our release today of Opera 11.52, we have a fix available for this issue, less than a week after being made aware of the relevant details. [...] We recommend that all Opera users download and install this newest version," he said.

SVG handling vulnerabilities are common and most browser vendors have dealt with this type of issue at one point or another. Such flaws are usually discovered with the help of automated programs called fuzzers which feed malformed input to SVG parsers in the hope of triggering expoloitable crashes.

The latest Google Chrome stable update contained a patch for a flaw involving SVG fonts, while a critical SVG vulnerability was patched in Firefox 6.

In addition to addressing the SVG vulnerability, Opera 11.52 also contains fixes for non-security issues with BitTorrent downloads, HTML5 videos and X-Frame-Options error pages.

"Suggesting that people's "purpose is to get information to flow through the ..."

Why change management doesn’t work
"Darn those pesky laws that get in the way of commercial exploitation ..."

Larry Page wants to see your medical records
"Instead of partitioning the device between corporate and personal data, another approach ..."

Dual-Persona Smartphones Not a BYOD Panacea
"Well that's a nice back-handed compliment isn't it? So now, finally, my ..."

After two-year hiatus, EFF accepts bitcoin donations again
"Actually, both Mobile App developers and CIOs should be blamed for it. ..."

CIOs struggle to deliver timely mobile business apps: survey

Tags: patches, applications, Google, opera software, security, browsers, software, Exploits / vulnerabilities, mozilla

Latest Blog Posts

Whitepapers

Securing the Promise of Virtualisation
For today’s enterprise, this whitepaper identifies three general areas of risk associated with risk; those that are traditionally areas of risk, the hazards that are exclusive to virtualisation and the more recent set of risks that are associated with newly formed hybrid environments. Read more to find out how to keep pace with evolving threats, quicker provisioning and dynamically mobile workloads.

Learn more »
Deploying Flash in the Enterprise
Flash is quickly emerging as the preferred way to overcome the nagging performance limitations of hard disk drives. However, because flash comes at a significant price premium, outright replacement of HDDs with flash only makes sense in situations in which capacity requirements are relatively small and performance requirements are high. Learn how deployment approaches-including hybrid storage arrays, server flash, and all-flash arrays-that combine the performance of flash with the capacity of HDDs can be cost effective for a broad range of performance requirements.

Learn more »
Customer Success - Slater & Gordon Lawyers
Lawyers work hard, and they work fast. Any activity that takes their focus away from the task at hand represents lost productivity and lost revenue. Slater & Gordon Lawyers needed to filter spam and email-borne malware and provide high availability for email. Results from the business solution they chose include 250 hours of IT staff time reclaimed annually for other tasks, long delays in email delivery alleviated, reduced email-related storage costs, and email failover to the cloud in minutes, avoiding hours-long outages. Find out how they got these results.

Learn more »

All whitepapers

Most Read
Most Commented

Get exclusive access to Invitation only events CIO, reports & analysis.

Latest Jobs

FTJob Title: Mac Systems/ Enterprise Systems EngineerNZ
FTSenior Python DeveloperNSW
FTOS Web Applications DeveloperNSW
FTTechnical Business AnalystNSW
FTFlash / ActionScript Developer - ContractNSW
FTR&D EngineerSA
FT.NET - Sitecore Developer - Melbourne - PermNSW
FTLead Software EngineerSA
FTQuality ManagerSA

Zones

Featured Whitepapers

Maximising productivity without sacrificing security

Advances in mobility and client computing technology combined with the ubiquity of the Internet and social media are creating a culture and desire for constant connectivity and anywhere access to ...

Recent comments

"Suggesting that people's "purpose is to get information to flow through the ..."
Why change management doesn’t work
"Darn those pesky laws that get in the way of commercial exploitation ..."
Larry Page wants to see your medical records
"Instead of partitioning the device between corporate and personal data, another approach ..."
Dual-Persona Smartphones Not a BYOD Panacea
"Well that's a nice back-handed compliment isn't it? So now, finally, my ..."
After two-year hiatus, EFF accepts bitcoin donations again
"Actually, both Mobile App developers and CIOs should be blamed for it. ..."
CIOs struggle to deliver timely mobile business apps: survey

Follow CIO

Market Place

Switch on The Symantec Business Critical Virtualisation Content Zone

Now out of the office never means out of the loop. Office 365 – your complete office in the cloud.

Australian Breakfast Road Show: Enabling Proactive Security for Tomorrow's Business Trends

Deploying mobility worthwhile challenge hear what CIOs have to say.. Read more

Latest Jobs

Subscribe to CIO

Critical. Authoritative. Strategic. CIO magazine addresses the issues vital to the success of IT and business executives. Solutions-oriented editorial provides a greater understanding of the role IT plays in achieving corporate goals. Subscribe to the print edition today.

Download OPML file for import with all IDG RSS feeds

CSO Online Data Security Briefing

Opera denies refusing to patch critical vulnerability

Recommended

BYOD and ITSM: What you need to know

Commonwealth Bank shifts to activity-based work culture, swanky ...

Sony and Lego collaborating on toy research

Homeless multinationals and taxing decisions

IT sourcing: in or out?

Avoiding your cloud vendor’s success trap

10 Tips for Dealing with a Bully Boss

5 open source help desk apps to watch

How to define the scope of a project

5 open source billing systems to watch

PMBOK vs PRINCE2 vs Agile project management

Opinion: Why national e-health is not for everyone

Dual-Persona Smartphones Not a BYOD Panacea

Larry Page wants to see your medical records

eBay bids on big data challenge

How Big Data can improve marketing and customer service

Symantec Business Critical Virtualisation Content Zone

BlackBerry Enterprise Service 10 Zone

HP Tech Connect Resource Centre

Maximising productivity without sacrificing security

Enable Flexible Working

NetApp FAS6240 Clustered SAN Champion of Champions

Forrester: The Three Stages of Cloud Economics

Legal Compliance in Electronic Record Keeping