lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 4 Dec 2004 19:24:08 +0100 (MEZ)
From: Marc Schoenefeld <schonef@...-muenster.de>
To: bugtraq@...urityfocus.com
Subject: Opera 7.54 vulnerabilities again (still unfixed)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi out there,

there have been questions concerning the criticality of the opera 7.54
security hole series which was published last month
(http://archives.neohapsis.com/archives/bugtraq/2004-11/0250.html).

- From my subjective point of view, the opera bug is worse for users, because
it is
not fixed in the core product, only in the beta version, while the
sun plugin bug has been fixed since 1.4.2_06. Remember: Opera does not use
the standard plugin mechanism although they allow to use a standard jre.
This
should not be mixed up.

The opera implementation does allow to load any sun.* class by the
applet regardless of the JDK version installed. This is comparable in
criticality to the plugin bug. What makes things worse is the fact,
that the presented vulnerabilities
(and some more) cannot be fixed by just installing a
clean 1.4.2_06, you need to adjust the policy file manually if you stick
to Opera 7.54, which is the current product version. So we have an
up2date program version with unfixed and exploitable vulns.
These vulns are labeled 'uncritical' in some "expert" security databases
(http://secunia.com/advisories/13257/) . This trivilization is a pretty
bad starting point when you really want to "stay secure" :-(
The bug is not fixed, may expose your user name and
harddisk structure to some untrusted software and is labeled 'uncritical' ?

To summarize, don't be misled by these unrealistic criticality levels,
to protect your privacy  remove opera, remove all old java versions,
install java 1.4.2_06 (optionally) and use a decent browsers that
implements the plugin standard interface (such as Firefox).
This last recommendation is temporarily and may be obsolete when an official
7.60 version has been released. Hopefully before xmas ?

Sincerely
Marc Schönefeld

- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (AIX)

iD8DBQFBsgDMqCaQvrKNUNQRAn2nAJ9Q5RG4SiUIHQn7F73i+HxMGxaPAgCdH6Uc
YyjlqzlYOKclJK6QaE2769A=
=g6P3
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ