mailing list archives
Opera 7.54 vulnerabilities again (still unfixed)
From: Marc Schoenefeld <schonef () uni-muenster de>
Date: Sat, 4 Dec 2004 19:24:08 +0100 (MEZ)
-----BEGIN PGP SIGNED MESSAGE-----
Hi out there,
there have been questions concerning the criticality of the opera 7.54
security hole series which was published last month
- From my subjective point of view, the opera bug is worse for users, because
not fixed in the core product, only in the beta version, while the
sun plugin bug has been fixed since 1.4.2_06. Remember: Opera does not use
the standard plugin mechanism although they allow to use a standard jre.
should not be mixed up.
The opera implementation does allow to load any sun.* class by the
applet regardless of the JDK version installed. This is comparable in
criticality to the plugin bug. What makes things worse is the fact,
that the presented vulnerabilities
(and some more) cannot be fixed by just installing a
clean 1.4.2_06, you need to adjust the policy file manually if you stick
to Opera 7.54, which is the current product version. So we have an
up2date program version with unfixed and exploitable vulns.
These vulns are labeled 'uncritical' in some "expert" security databases
(http://secunia.com/advisories/13257/) . This trivilization is a pretty
bad starting point when you really want to "stay secure" :-(
The bug is not fixed, may expose your user name and
harddisk structure to some untrusted software and is labeled 'uncritical' ?
To summarize, don't be misled by these unrealistic criticality levels,
to protect your privacy remove opera, remove all old java versions,
install java 1.4.2_06 (optionally) and use a decent browsers that
implements the plugin standard interface (such as Firefox).
This last recommendation is temporarily and may be obsolete when an official
7.60 version has been released. Hopefully before xmas ?
Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous
Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (AIX)
-----END PGP SIGNATURE-----
- Opera 7.54 vulnerabilities again (still unfixed) Marc Schoenefeld (Dec 04)