14 DAY TRIAL // After initially downplaying the vulnerability discovered by security firm Secunia, Opera Software confirmed it was working on a patch for a critical security issue in its Opera desktop browser. The company did not set a timeline for the arrival of the fix. However, a spokesman did say Opera would release it to the public "as soon as possible." Luckily for Mac users, the patch is needed only on Windows machines.
"There has lately been some confusion about a vulnerability reported in the Opera browser and rightly so based on the different statements having been issued," an entry by Carsten Eiram over at the Secunia Blog reads. The blog in question is used to communicate the company’s opinions about vulnerabilities, security, ethics, etc. "During the past days, we have […] been working with Opera Software and providing them with details to clarify that the threat is not just a crash, but has code execution potential. Opera Software has acknowledged to us that they are now handling it as a security issue and will be issuing an advisory and fix as soon as possible," Eiram says.
A PC Advisor report includes a statement from Opera spokesman Thomas Ford, who, referring to the bug in question, says, "In a 64bit environment this would still crash, but in a 32bit environment it ... could potentially be used to move memory from one location to another without crashing, provided the specified length was not too long."
Downplaying the threat, Ford adds that it's unlikely any exploit would be reliable enough to pose a risk to users. "There are so many dependencies in data used in an application like Opera that getting valid data into every location that needs it is rather unlikely, and a crash soon after the corruption is the most likely scenario, unless the final phase of the attack can be carried through very quickly, something which depends on a large number of variables," he adds.
The report confirms that only the Windows versions of Opera are affected by this bug. Windows PC owners using the insecure browser need to make sure that DEP (data execution prevention) and ASLR (address space layout randomisation) are enabled, in order to protect themselves against attacks, Ford explains.