Opera confirms critical browser bug

Opera Software yesterday confirmed a critical vulnerability in its Windows desktop browser, and said it is working on a patch.

The Norwegian browser maker did not set a timeline for fixing the bug, but a spokesman Monday said it would be released "as soon as possible."

The flaw, which Danish bug tracking vendor Secunia rated as " highly critical ," the second-highest ranking in its five-step scoring system, can be exploited by attackers to corrupt memory, crash Opera and theoretically execute attack code. According to the researcher who posted proof-of-concept attack code on the Web last week, the bug affects Opera 10, including the newest version, Opera 10.50 , which shipped last week.

Opera contested Secunia's initial report of the vulnerability, claiming that the bug is not a security issue because attackers would be able to only crash the browser, not gain control of the PC. After prompting from Secunia and further investigation, however, Opera conceded that the flaw might be exploitable.

"In a 64-bit environment this would still crash, but in a 32-bit environment it ... could potentially be used to move memory from one location to another without crashing, provided the specified length was not too long," said Opera spokesman Thomas Ford in an e-mail Monday.

Ford downplayed the threat, saying that it's unlikely any exploit would be reliable enough to pose a risk to users. "There are so many dependencies in data used in an application like Opera that getting valid data into every location that needs it is rather unlikely, and a crash soon after the corruption is the most likely scenario, unless the final phase of the attack can be carried through very quickly, something which depends on a large number of variables," he added.

Only the Windows versions of Opera contain the vulnerability; users can protect their PCs until a patch is issued by making sure that DEP (data execution prevention) and ASLR (address space layout randomization) are enabled, said Ford. Microsoft debuted DEP with Windows XP Service Pack 2 (SP2) in 2004, and began using ASLR with Windows Vista in early 2007. Windows 7 features both security mechanisms.

"Since this is considered a security issue, even if it is currently theoretical, we have a fix ready and are testing it," said Ford. "The plan is to release an update of Opera soon."

Opera accounted for about 2.4% of all browsers used worldwide last month, according to U.S. metrics company NetApplications.com. Irish measurement company StatCounter, meanwhile, estimated that Opera owned a 2% global share in February, but a 4.3% share in Europe.

The browser is one of the five that appear by default in the first screen of the browser ballot that Microsoft began sending to Windows users in the European Union last week.