Security changes and features of Opera 19

New features

As with every release, each new feature goes through extensive testing, and that includes a security review. Changes to existing features are also tested in this way. The security review makes sure that there are no negative security implications of the new feature. Even seemingly unimportant features get this attention.

For example, the Bookmarks bar (which can be turned on in the settings) has received a series of improvements. It also was reviewed to make sure it cannot be abused. It may not at first seem like a feature open for abuse, but it includes a warning when bookmarklets are dropped onto it, so that the user realises what they are dropping. While this would not be directly exploitable (it would require a user to comply with several manual steps before the bookmarklet could be used on a target site), we consider this to be a layer of protection for users.

Other privacy or security-related fixes and changes

A couple of low-impact privacy bugs also got fixed in Opera for desktop, such as the zoom state of websites not being reset when clearing browsing data. These can be seen on the changelog. Such bugs cannot be abused by a remote attacker, so they are not actively exploitable.

Opera on Android has some support for the “intent:” protocol, which allows it to interact with functionality provided by other locally installed products. This capability was reduced in Opera 18 for Android to prevent it from interacting with certain products. Recently, Takeshi Terada of Mitsui Bussan Secure Directions Inc. discovered a way to abuse the intent: protocol in Opera versions prior to Opera 18 for Android (JPCERT CVE-2014-0815). The interaction between two products could be used to reveal the contents of local data files such as the Opera cookie store. Although this is already prevented in Opera 18 for Android, we have now added extra restrictions in Opera 19, to prevent any further possibly unwanted product interactions.