TUCoPS :: Browsers :: hack7492.htm

Opera 7.54 vulns again (still unfixed)
Opera 7.54 vulnerabilities again (still unfixed)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi out there,

there have been questions concerning the criticality of the opera 7.54
security hole series which was published last month
(http://archives.neohapsis.com/archives/bugtraq/2004-11/0250.html). 

- From my subjective point of view, the opera bug is worse for users, because
it is
not fixed in the core product, only in the beta version, while the
sun plugin bug has been fixed since 1.4.2_06. Remember: Opera does not use
the standard plugin mechanism although they allow to use a standard jre.
This
should not be mixed up.

The opera implementation does allow to load any sun.* class by the
applet regardless of the JDK version installed. This is comparable in
criticality to the plugin bug. What makes things worse is the fact,
that the presented vulnerabilities
(and some more) cannot be fixed by just installing a
clean 1.4.2_06, you need to adjust the policy file manually if you stick
to Opera 7.54, which is the current product version. So we have an
up2date program version with unfixed and exploitable vulns.
These vulns are labeled 'uncritical' in some "expert" security databases
(http://secunia.com/advisories/13257/) . This trivilization is a pretty 
bad starting point when you really want to "stay secure" :-(
The bug is not fixed, may expose your user name and
harddisk structure to some untrusted software and is labeled 'uncritical' ?

To summarize, don't be misled by these unrealistic criticality levels,
to protect your privacy  remove opera, remove all old java versions,
install java 1.4.2_06 (optionally) and use a decent browsers that
implements the plugin standard interface (such as Firefox).
This last recommendation is temporarily and may be obsolete when an official
7.60 version has been released. Hopefully before xmas ?

Sincerely
Marc Schönefeld

- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (AIX)

iD8DBQFBsgDMqCaQvrKNUNQRAn2nAJ9Q5RG4SiUIHQn7F73i+HxMGxaPAgCdH6Uc
YyjlqzlYOKclJK6QaE2769A=
=g6P3
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH