Opera 23 has been out on the stable channel for a while, and we have just released a few silent security updates as well. The first was a regular Opera security fix, the second was to take in a security patch in advance of the regular Chromium update cycle, and the third was to take in the regular Chromium update. In addition to any fixes included in the Chromium update, the following issues were fixed in the security updates:

  • DNA-21542; Moderate severity; certificate revocation checks failing on Mac.
  • DNA-24508; High severity; include the patch for Chromium issue 398925, CVE-2014-3166.

Opera and Chromium

Since we have your attention, we wanted to take some time to introduce you to the relationship between Opera and Chromium.

Opera has used the open source Chromium browser engine to power the Opera browser for well over a year now. This does not mean that Opera no longer develops a browser engine. From the outset, Opera has been contributing fixes back to the Chromium project, and a great number of contributions come from the Opera developers, whether fixing bugs, adding features, or simply tidying up older code.

As of May 2014, we have also been members of the Chromium Security Group; the first external company to be accepted into this role. We are able to make active contributions to the security of the engine, and participate in the discussions which determine the future security of upcoming features.

Despite using the Chromium engine, Opera is not just another Chromium skin. Google Chrome and Opera may strive to have a simplistic and uncluttered interface, and the immediately-visible features are likely to be quite similar in most browsers. However, Opera’s user interface is almost entirely independent, complete with its own features. Like all software, it can have bugs and security issues; any bugs in the user interface are likely to be Opera bugs, not Chromium bugs.

It is even possible for Opera and Chromium to have the same bugs, brought on by entirely independent implementations of the same feature. For example, back in Opera 22, we fixed a bug which could – if an attacker could convince the user to perform a specific set of interactions and load a target website which returned a HTTP 204 header – cause the target address to be displayed while the browser shows the attacking page. A seemingly similar – but not considered exploitable – problem was also fixed in Chromium, but Opera’s issue was entirely independent, and was not fixed by a Chromium update. It needed to be fixed in Opera, and could possibly even be exploited in Opera, given the right user interaction. Credits to Ahmed Elsobky (@MrEagle0x) for reporting that issue to us.

If you discover any bugs or security issues in Opera, please do let us know. Even if you also see the same security issue in Chromium, it could potentially be an independent issue. If you also report it to us, we will be happy to let you know whether it is an independent Opera issue (and don’t worry, it won’t have any effect on your Chromium Vulnerability Reward if you report the issue to us, as long as you also report it to the Chromium project).

Back to top
  • L33t4opera

    Hi Tarquin, thanks for the info regarding the security fixes. As always I’m really grateful, that you, and your Team, take care about the security matters in the Opera. Good job!

  • Piotr Karol Marek Żółtowski

    Opera has been contributing fixes back to the Chromium project, and a great number of contributions come from the Opera developers, whether
    fixing bugs, adding features, or simply tidying up older code.

    Stupid ChrOpera’s LIARS. There’s a difference when almost in every new dev/beta version of Chromium there’s MANY e-mails ended on chromium.org or google.com and almost there’s no e-mail ended on opera.com. Everyone who watch the Chrome blog in RSS Reader (if you know what is RSS) where Google posts new versions of Chromium can see that, so don’t write, that you have many contributions to Chromium, because it’s 100% LIAR. The percentage of your browser usage will be small or even smaller, if you will continue to lying to the users, as you are doing it now in this post 🙂
    ___________________________

    Despite using the Chromium engine, Opera is not just another Chromium skin.

    Yes, IT IS A CHROMIUM SKIN. You can’t change many things in ChrOpera just like in Chrome/Chromium. Both in this browsers there’s no status bar and there’s no extension which will bring it back. There’s no panels in both browsers. In ChrOpera you call images as theme, which is totally stupid, there’s no sync, which now is standard in all popular browsers. Both ChrOpera and Chrome/Chromium eat much RAM on low-end machines, so can’t use this “browser” normally. ChrOpera doesn’t have bookmarks from Opera 12 and it never will be. And this is only the beginning of the iceberg, so STOP LYING TO USERS and BRING BACK ALL FEATURES(!) or you will crushed in the future by Otter Browser, which now is in beta stage (current version: beta 2) and have more FEATURES than ChrOpera.

    • SQL

      Oh boy, I’m laughing hard here.

    • SQL

      Oh, and i hope that you know that Otter is going to use Blink too in the future? Will you then leave Otter because it’s using Blink?

    • Nekomajin43

      I can only what I ask from others like you: Why are you here? If you don’t like the new Opera, why do you keep commenting? If you like Otter, why don’t you use it and be happy? What’s the point of ranting here?

      • Piotr Karol Marek Żółtowski

        Because, like Zhenis said in one comment about new version of ChrOpera (Can’t remember now this news exactly), it’s free world. So I can choose another product made by different company, by I HAVE RIGHT to CRITIZE the product, which was build almost 20 years and everything was fine until von Tetzchner (and few main programmers also) left Opera and was the best because of configurability, which many Opera users loved that, including me.

        • Nekomajin43

          Does it solve your problem?

  • :knight:

    I notice you also inherited a bug in the pop up blocker (Apple has had the bug in Safari, Chromium inherited the bug from Webkit (I did report it to Apple in 2008 or so), with some background popups, Opera presto based blocked them fine, hard to find the test that I confirmed it with

  • B34ROp

    Hi,
    How long will Opera 23 be supported with security updates ?
    Is the 22 version still supported ?
    Could you please give us information about Opera products lifecyle, generally speaking ?
    Thanks !

    • tarquinwj

      For computers, Opera’s security updates are issued as a regular browser update. That means; if you want the security fixes, stick to the latest version. Opera 25 is the latest release at the time of writing, and that contains a security fix.

      You cannot use Opera 22 and expect to have all of the security fixes that were included in Opera 23, 24 and 25. Opera 23 is the security update for Opera 22. Opera 24 is the security update for Opera 23. Opera 25 is the security update for Opera 24. And so on.

      Don’t use an old version and expect to be secure. Always use the latest version.

  • knuthf

    Once more my proposal:
    Can you make Opera so that Java and Flash execute as special users, i.e. you have to do a “sudo $USER-Java; ” when you start Java, “sudo $USER-Flash;”. if the users do not exist – make them, with home where the browser keeps its cache (or Java or Fash). Well, if a Javascript then wants to upload a file, the Java user has to have access to the file, or “su” back optain access which means giving the user´s password again. Then Opera will have a safe “sandbox” and unless you are silly and save the password, Opera will have a higher security than the other browsers. It is up to the user to decide on what Internet resources is allowed to view and get access to. A side effect is of course that all trojans or viruses will also run as another user with very constrained access. They can guess the IP address of a backdoor (127.0.0.1) – but what they are admitted into is then a tiny spot of browser cached files, cookies but no Coke… Forget about Windows – do the same here later.