Security changes in Opera 23
Opera 23 has been out on the stable channel for a while, and we have just released a few silent security updates as well. The first was a regular Opera security fix, the second was to take in a security patch in advance of the regular Chromium update cycle, and the third was to take in the regular Chromium update. In addition to any fixes included in the Chromium update, the following issues were fixed in the security updates:
- DNA-21542; Moderate severity; certificate revocation checks failing on Mac.
- DNA-24508; High severity; include the patch for Chromium issue 398925, CVE-2014-3166.
Opera and Chromium
Since we have your attention, we wanted to take some time to introduce you to the relationship between Opera and Chromium.
Opera has used the open source Chromium browser engine to power the Opera browser for well over a year now. This does not mean that Opera no longer develops a browser engine. From the outset, Opera has been contributing fixes back to the Chromium project, and a great number of contributions come from the Opera developers, whether fixing bugs, adding features, or simply tidying up older code.
As of May 2014, we have also been members of the Chromium Security Group; the first external company to be accepted into this role. We are able to make active contributions to the security of the engine, and participate in the discussions which determine the future security of upcoming features.
Despite using the Chromium engine, Opera is not just another Chromium skin. Google Chrome and Opera may strive to have a simplistic and uncluttered interface, and the immediately-visible features are likely to be quite similar in most browsers. However, Opera’s user interface is almost entirely independent, complete with its own features. Like all software, it can have bugs and security issues; any bugs in the user interface are likely to be Opera bugs, not Chromium bugs.
It is even possible for Opera and Chromium to have the same bugs, brought on by entirely independent implementations of the same feature. For example, back in Opera 22, we fixed a bug which could – if an attacker could convince the user to perform a specific set of interactions and load a target website which returned a HTTP 204 header – cause the target address to be displayed while the browser shows the attacking page. A seemingly similar – but not considered exploitable – problem was also fixed in Chromium, but Opera’s issue was entirely independent, and was not fixed by a Chromium update. It needed to be fixed in Opera, and could possibly even be exploited in Opera, given the right user interaction. Credits to Ahmed Elsobky (@MrEagle0x) for reporting that issue to us.
If you discover any bugs or security issues in Opera, please do let us know. Even if you also see the same security issue in Chromium, it could potentially be an independent issue. If you also report it to us, we will be happy to let you know whether it is an independent Opera issue (and don’t worry, it won’t have any effect on your Chromium Vulnerability Reward if you report the issue to us, as long as you also report it to the Chromium project).