Opera confirms critical browser bug

Working on patch for Windows vulnerability

Opera Software ASA yesterday confirmed that there's a critical vulnerability in its Windows desktop browser and said it is working on a patch.

The Norwegian browser maker did not set a timeline for fixing the bug, but on Monday a spokesman said it would be released "as soon as possible."

The flaw, which Danish bug tracking vendor Secunia rated as "highly critical," the second-highest ranking in its five-step scoring system, can be exploited by attackers to corrupt memory, crash Opera and theoretically execute attack code. According to the researcher who posted proof-of-concept attack code on the Web last week, the bug affects Opera 10, including the newest version, Opera 10.50, which shipped last week.

Opera contested Secunia's initial report of the vulnerability, claiming that the bug is not a security problem because attackers would be able to only crash the browser, not gain control of a PC. However, after prompting from Secunia and further investigation, Opera conceded that the flaw might be exploitable.

"In a 64-bit environment this would still crash, but in a 32-bit environment it... could potentially be used to move memory from one location to another without crashing, provided the specified length was not too long," said Opera spokesman Thomas Ford in an e-mail Monday.

Ford downplayed the threat, saying that it's unlikely any exploit would be reliable enough to pose a threat to users. "There are so many dependencies in data used in an application like Opera that getting valid data into every location that needs it is rather unlikely, and a crash soon after the corruption is the most likely scenario, unless the final phase of the attack can be carried through very quickly, something which depends on a large number of variables," he added.

Only the Windows versions of Opera contain the vulnerability; users can protect their PCs until a patch is issued by making sure that DEP (data execution prevention) and ASLR (address space layout randomization) are enabled, said Ford. Microsoft Corp. debuted DEP with Windows XP Service Pack 2 in 2004, and the company began using ASLR with Windows Vista in early 2007. Windows 7 features both security mechanisms.

"Since this is considered a security issue, even if it is currently theoretical, we have a fix ready and are testing it," said Ford. "The plan is to release an update of Opera soon."

Opera accounted for about 2.4% of all browsers used worldwide last month, according to U.S. metrics company NetApplications.com. Irish measurement company StatCounter, meanwhile, estimated that in February Opera owned a 2% share of the global market and a 4.3% share in Europe.

The browser is one of the five that appear by default in the first screen of the browser ballot that Microsoft began sending to Windows users in the European Union last week.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon