Home page logo
/

bugtraq logo Bugtraq mailing list archives

Opera 7.54 vulnerabilities again (still unfixed)
From: Marc Schoenefeld <schonef () uni-muenster de>
Date: Sat, 4 Dec 2004 19:24:08 +0100 (MEZ)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi out there,

there have been questions concerning the criticality of the opera 7.54
security hole series which was published last month
(http://archives.neohapsis.com/archives/bugtraq/2004-11/0250.html).

- From my subjective point of view, the opera bug is worse for users, because
it is
not fixed in the core product, only in the beta version, while the
sun plugin bug has been fixed since 1.4.2_06. Remember: Opera does not use
the standard plugin mechanism although they allow to use a standard jre.
This
should not be mixed up.

The opera implementation does allow to load any sun.* class by the
applet regardless of the JDK version installed. This is comparable in
criticality to the plugin bug. What makes things worse is the fact,
that the presented vulnerabilities
(and some more) cannot be fixed by just installing a
clean 1.4.2_06, you need to adjust the policy file manually if you stick
to Opera 7.54, which is the current product version. So we have an
up2date program version with unfixed and exploitable vulns.
These vulns are labeled 'uncritical' in some "expert" security databases
(http://secunia.com/advisories/13257/) . This trivilization is a pretty
bad starting point when you really want to "stay secure" :-(
The bug is not fixed, may expose your user name and
harddisk structure to some untrusted software and is labeled 'uncritical' ?

To summarize, don't be misled by these unrealistic criticality levels,
to protect your privacy  remove opera, remove all old java versions,
install java 1.4.2_06 (optionally) and use a decent browsers that
implements the plugin standard interface (such as Firefox).
This last recommendation is temporarily and may be obsolete when an official
7.60 version has been released. Hopefully before xmas ?

Sincerely
Marc Schönefeld

- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (AIX)

iD8DBQFBsgDMqCaQvrKNUNQRAn2nAJ9Q5RG4SiUIHQn7F73i+HxMGxaPAgCdH6Uc
YyjlqzlYOKclJK6QaE2769A=
=g6P3
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • Opera 7.54 vulnerabilities again (still unfixed) Marc Schoenefeld (Dec 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault