Security changes and features of Opera 19

Opera 19 is now been put through its paces on the Developer and Next channels, and is now out on the Stable channel. Opera 19 for Android has also recently been released.

New features

As with every release, each new feature goes through extensive testing, and that includes a security review. Changes to existing features are also tested in this way. The security review makes sure that there are no negative security implications of the new feature. Even seemingly unimportant features get this attention.

For example, the Bookmarks bar (which can be turned on in the settings) has received a series of improvements. It also was reviewed to make sure it cannot be abused. It may not at first seem like a feature open for abuse, but it includes a warning when bookmarklets are dropped onto it, so that the user realises what they are dropping. While this would not be directly exploitable (it would require a user to comply with several manual steps before the bookmarklet could be used on a target site), we consider this to be a layer of protection for users.

Security issue fixes

The following security issue was fixed in Opera 19:

  • DNA-14173; Low severity: Address bar spoofing on Mac platform with drag and drop, reported by Jordi Chancel

Other privacy or security-related fixes and changes

A couple of low-impact privacy bugs also got fixed in Opera for desktop, such as the zoom state of websites not being reset when clearing browsing data. These can be seen on the changelog. Such bugs cannot be abused by a remote attacker, so they are not actively exploitable.

Opera on Android has some support for the "intent:" protocol, which allows it to interact with functionality provided by other locally installed products. This capability was reduced in Opera 18 for Android to prevent it from interacting with certain products. Recently, Takeshi Terada of Mitsui Bussan Secure Directions Inc. discovered a way to abuse the intent: protocol in Opera versions prior to Opera 18 for Android (JPCERT CVE-2014-0815). The interaction between two products could be used to reveal the contents of local data files such as the Opera cookie store. Although this is already prevented in Opera 18 for Android, we have now added extra restrictions in Opera 19, to prevent any further possibly unwanted product interactions.

  • Vux777

    but it includes a warning when bookmarklets are dropped onto it, so that the user realises what they are dropping.

    It would be nice to also have prompt for deleting Bookmarks Bar and SD items, as confirmation. If someone accidentally click remove instead of edit on bookmark, or (x) on SD thumb…it is gone for good. No confirmation, no trash can… it can be restored only by memory.

    • Nekomajin42

      Confirm exit on window control X button would be nice also.

  • L33t4opera

    Thanks for the info and for the fixes ;-)

  • Chas4

    :knight: