Welcome back to the big leagues: Opera denies severity of 10.5 exploit
12:02 pm EST March 9, 2010 · A spokesperson for Opera Software provided Betanews this morning with a summary of a complete blog post on the alleged exploit of Opera 10.5, published moments ago:
"The original report about the Windows-only malformed Content-length header problem is not a security issue, but a variant of the issue, brought to our attention by Secunia, has a theoretical possibility of allowing arbitrary code to run. We have developed a fix for the problem, which is being tested, and are planning to release an update of Opera soon. Until then, if Opera crashes on an untrusted site, you should avoid visiting that site again."
11:52 am EST March 9, 2010 · Though Opera, like all Web browsers, has never been immune to exploits, the news of the first serious exploit to affect its new and groundbreaking version 10.5 now has the company's representatives taking time away from shoring up the final Mac version of 10.5, to respond to what security firm Secunia is calling a "highly critical" exploit in the new product.
Last Wednesday, purported PHP server-side exploit code for Opera appeared on a "gray-hat" Web site where such exploits are commonly found. The author's name is credited as Marcin Ressel -- who, contrary to blog reports, does not appear to be an engineer either with Secunia or Vupen Security (it could just be a made-up identity, for all anyone knows). In his code listing, Ressel left contact information for an e-mail address using the Polish .PL domain, along with a playlist of favorite music from a Polish streaming site.
In the comments section of the code, Ressel describes the exploit as, "Integer overflow leading to out of bounds array access R/W [read/write]." The overflow is apparently triggered by a maliciously malformed HTTP response header; specifically, the Content-Length property is replaced with a bunch of '9's.
An examination of the code indicates, by the author's own admission, it may not be very sophisticated. For example, the statement that generates the malformed header is capped with the comment, /*Generated by my own fuzzer*/ -- which could mean that he wrote a fuzzer, or that he happens to own an effective fuzzer. The code does appear to try to establish a stealth socket connection with the client, which the code presumes is Opera (it does test for operating system, but does not appear to test for browser brand).
So the question is whether the exploit code, after generating an exception, delivers a malicious payload to the Opera browser. In a statement last Friday, Opera Communications Director Tor Odland told the Norweigian tech news service Digi.no all of one sentence: that Opera had confirmed the exploit was not harmful. And in a follow-up statement this morning on Twitter, Opera engineer Haavard wrote, "Our security guys are working on proper public information on Secunia advisory 38820." This after having tweeted earlier that no one on Opera's development team has been able to actually deliver a malicious payload using the exploit.
The Secunia advisory, published last Thursday, states, "Successful exploitation may allow execution of arbitrary code." The keyword here could be "may," as opposed to "does" or "will."
Ressel's comments indicated that while the exploit affected Opera version 10.5 for sure, he felt confident that it probably affected version 10.1 or earlier. The Secunia advisory made the same claim, effectively that older versions were possibly impacted. And while Vupen's advisory claimed its team had confirmed only that 10.5 was vulnerable, the term "prior" was used under "Affected Products." It might, or may, or will be nice for someone to actually try that out and see.