We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Opera working on fix for desktop browser bug

Patch to be released "as soon as possible"

Opera Software has confirmed it is working on a patch for  a critical vulnerability in its Opera desktop browser.

The Norwegian browser maker did not set a timeline for fixing the bug, but a spokesman said it would be released "as soon as possible."

The flaw, which Danish bug tracking vendor Secunia rated as 'highly critical', the second-highest ranking in its five-step coring system, can be exploited by attackers to corrupt memory, crash Opera and theoretically execute attack code.

According to the researcher who posted proof-of-concept attack code on the web last week, the bug affects Opera 10, including the newest version, Opera 10.50, which shipped last week.

Opera contested Secunia's initial report of the vulnerability, claiming that the bug is not a security issue because attackers would be able to only crash the browser, not gain control of the PC.

After prompting from Secunia and further investigation, however, Opera conceded that the flaw might be exploitable.

"In a 64bit environment this would still crash, but in a 32bit environment it ... could potentially be used to move memory from one location to another without crashing, provided the specified length was not too long," said Opera spokesman Thomas Ford.

Ford downplayed the threat, saying that it's unlikely any exploit would be reliable enough to pose a risk to users.

"There are so many dependencies in data used in an application like Opera that getting valid data into every location that needs it is rather unlikely, and a crash soon after the corruption is the most likely scenario, unless the final phase of the attack can be carried through very quickly, something which depends on a large number of variables," he added.

Only the Windows versions of Opera contain the vulnerability; users can protect their PCs until a patch is issued by making sure that DEP (data execution prevention) and ASLR (address space layout randomisation) are enabled, said Ford.

Microsoft debuted DEP with Windows XP Service Pack 2 (SP2) in 2004, and began using ASLR with Windows Vista in early 2007. Windows 7 features both security mechanisms.

"Since this is considered a security issue, even if it is currently theoretical, we have a fix ready and are testing it," said Ford.

"The plan is to release an update of Opera soon."

Opera accounted for about 2.4 percent of all browsers used worldwide last month, according to web metrics company Net Applications.

Irish measurement company StatCounter, meanwhile, estimated that Opera owned a two percent global share in February, but a 4.3 percent share in Europe.

The browser is one of the five that appear by default in the first screen of the browser ballot that Microsoft began sending to Windows users in the European Union last week.

See also: Opera sees three-fold increase in downloads

IDG UK Sites

What to expect from Google I/O 2015 | Google I/O live video stream | Google I/O live blog |...

IDG UK Sites

Why Intel’s vision of the future is a future I want to live in

IDG UK Sites

Ben & Holly's Game of Thrones titles spoof is delightfully silly

IDG UK Sites

Jony Ive 'semi-retired' into new role: kicked upstairs as Chief Design Officer