Opera Issued Seven Patches for Browser, Kept One Secret
Opera Software launched seven patches on August 20, 2008 for its Opera browser but refused to disclose details about one of the seven bugs.
Also, apart from the seven vulnerabilities, Opera 9.52 fixes several bugs in many browsers such as seven in Windows version, six bugs in Linux browser, and five in Mac edition. All the patches are rated from highly severe to low severe on the five-step threat ranking system of the company.
According to an advisory issued by the company, an external application can start Opera if it is a registered handler for a given protocol.
Security experts said that malicious people could misuse vulnerabilities in Opera to launch cross-site scripting and spoofing attacks. They can also exploit vulnerabilities to bypass security software, steal sensitive details, or compromise user's system.
Besides, if Opera is used as protocol handler, then an unknown error also occurs. This is generally exploited to break down system and potential execution of arbitrary code. Fortunately, the vulnerability found in Opera affects only Window system.
However, Opera deleted details of one of the patch flaws. Thomas Ford, spokesman, Opera, said that other software might be associated with this flaw, as reported by ComputerWorld on August 20, 2008.
Furthermore, Thomas Ford said that Opera believes that under certain circumstances, patches for vulnerabilities could be released without publishing advisory for the flaw. If Opera releases patches without any advisory, it is due to the fact that other vendors have not released patches.
Moreover, sometimes, vendors release a patch without providing any information on what they have fixed but they customarily give information along with the fix. A recent similar incident took place in February 2008, when Adobe System Inc. released update for a number of vulnerabilities found in popular Reader PDF utility but it did not give details about the vulnerabilities and patches. At that time, security experts were puzzled with Adobe's action and they thought that it usually forthcoming.
Nevertheless, Thomas Ford said that Opera followed this path because of different intentions for secrecy. Publishing an advisory just to show that they have fixed vulnerabilities could leave other products unprotected. It could also give an opportunity to malicious hackers to acquire information they need for causing damage.
» SPAMfighter News - 28-08-2008