Opera flaw highlights vulnerability of browsers

25 Jan 2011

Reports that the Opera web browser has been hit by a zero-day vulnerability highlights the fact that all web browser clients are, by their nature, insecure, says Idappcom, the data traffic analysis and security specialist.

According to Anthony Haywood, the firm’s chief technology officer, Opera is popular amongst users of smartphones and netbooks, owing to its relatively small footprint.

“Ironically, it’s also been gaining traction on account of its less-than-mainstream status, which some experts have observed means that the software is less of a target by hackers and cyber criminals,” he said.

“This reasoning appears quite sound, until you realise the world’s internet browser user base is now measured in hundreds of millions, which means that a client that accounts for a fraction of a percentage still means there are millions of users out there in cyber space,” he added.

Haywood went on to say that the fact a browser is low profile and has a select user base can actually make it attractive in the eyes of cyber criminals, as hackers can start exploring what appears to be virgin territory as far as vulnerabilities are concerned.

The most important thing to realise about web browser client software, he says, is that it is designed to access a variety of websites, typically using Port 80 for regular HTTP access, and Port 443 for HTTPS access.

With so many IP ports available, this might sound like a small IP profile to deal with from a security perspective, but the problem is that there are a growing number of non-standard applications that use Port 80 across the internet, meaning a web browser client must be able to support these features, he explained.

Latest vulnerability

Haywood said this latest vulnerability – which some sources are reporting as a zero-day issue – allows potential attackers to execute arbitrary code remotely.

The flaw was discovered by French security researcher Jordi Chancel who disclosed it on his blog earlier this month, and classified the problem as an integer truncation error.

“Although technically complex, the flaw can cause Opera to crash, although the potentially silver lining here is that the address of the memory violation is reported to be unpredictable. This makes the vulnerability less easy to exploit from a hacking perspective,” he said.

“Is Opera less or more secure than the other mainstream browsers? That depends on your perspective. The reality is that any software that uses Port 80 across the internet has to be viewed as a potential security issue and users – especially IT managers – need to be aware of this fact,” he added.

“The bottom line to this latest browser flaw is that internet software users need to install multiple layers of security defence, and ensure their software – and their security knowledge – is as up to date as possible,” Chancel said.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years