Opera didn’t patch a vulnerability?

Opera recently released an update for its browser fixing a vulnerability with its handling of Scalable Vector Graphics (SVG) files. So yes it was fixed, but why did it take 362 days before it happened? I can’t answer that question, but Opera is denying it happened.

Computerworld posted news about this topic saying:

Security researcher Jos A. Vzquez stirred controversy at the beginning of last week when he released proof-of-concept exploit code for an unpatched vulnerability in Opera.

 

Making security issues public without notifying affected vendors in advance is generally frowned upon in the security community, but is not particularly uncommon. However, in this case, the researcher claims to have tried acting responsibly without success.

Jose claims that he reported this vulnerability to Opera through their SecuriTeam Secure Disclosure (SSD) program. After 362 days of waiting from when Opera was notified a patch to fix this vulnerability was still not out. Jose decided to give them some encouragement by writing his proof-of-concept post on the internet, hoping that the vulnerability being publicly available would get Opera to fix the problem. Luckily this pushed them to fix this problem.

Opera tried to defend themselves by saying:

Opera admits being alerted about the flaw six months ago, as part of a larger report, but it claims that it couldn’t replicate the issue at the time. According to the vendor, its attempts to obtain more information from the researcher at the time weren’t successful.

Sigbjørn Vik also responded on behalf of Opera in a post saying:

we find out that a researcher – presumably the same original researcher – has found a way to modify the vector, so current Opera releases could be exploited. We received no details about this modified vector until the details of it were made public, effectively putting our users at risk from the issue, without us immediately having any way to protect them.

He blames Jose for putting Opera users at risk, which realistically Jose did. But if Opera had fixed this problem when it was originally reported that would not have had to be done.

So Jose claims to have told them about a year ago. Opera claims to have found out about six months ago, and no patch until a little over a week ago after they were slightly forced by the information about the vulnerability being posted. To me it sounds like Opera messed up somehow or just decided not to patch it for whatever reason. You can decide for yourself. Personally if this was chrome I’d be worried, but hey, its Opera, almost nobody uses it anyway.

http://www.computerworld.com/s/article/9221043/Opera_denies_refusing_to_patch_critical_vulnerability
http://my.opera.com/securitygroup/blog/2011/10/19/about-the-svg-font-manipulation-vulnerability-that-was-fixed-in-11-52
http://spa-s3c.blogspot.com/2011/10/spas3c-sv-006opera-browser-101112-0-day.html

Advertisements