The inclusion of a web server gives attackers clear line-of-sight to their targets

There’s been a few articles on Opera Unite that have called into question the security of the decision to include a web server with the browser. Most of those discussions have centered around the ability to muck with files not intended by the host to be shared, but given current infection techniques there’s a far greater danger to Opera: mass injection attacks.

hacker As is often pointed out, current attack techniques are not necessarily targeting web sites per se, but are intended to infect the users of such websites. Attacks like NineBall, Gumblar, and Beladen infect web sites but only as a means to create a distribution network for its user-targeted malware.

Opera’s decision to include a web server removes the middleman, as it were, and gives miscreants the opportunity to go right to the source. A source that may very well be less protected than most web sites. After all, users rarely have the security infrastructure in place to detect let alone stop such attacks, and while turning on Window’s firewall may be helpful in stopping unsolicited traffic one cannot argue that purposefully running and advertising web services on your PC via Opera’s integrated web server is soliciting traffic. You want people to access your personal machine if you’re offering services on it, which means you’re opening yourself up to a variety of potential attacks.

Both W3CSchools and Haavard web analytics place Opera’s market share at about 2.2% of users. That number is somewhat meaningless without total Internet user statistics, which we’ll pull from Nielsen via InternetWorldStats. Current estimates put the total number of Internet users at 1,596,270,108. Assuming this is at accurate, that would mean Opera is currently in use by about 35,117,942. We’ll call it 35 million to make it easier. Not every Opera user will upgrade, so let’s say half of them will upgrade to Unite, about 17 million. Let’s further assume that not all of them will actually enable the services: figure that about half of those running Unite will actually do so, about 8 million.

That’s still a target rich environment. Imagine 8 million fairly unprotected users – miscreants intended targets – running services on their machines that are begging to be attacked. But don’t worry, unless someone is a “hacker” they won’t be able to get at anything.

a spokesperson from Opera told both ZDNet and CNET, when asked if the Unite platform would offer the ability for someone to access data on a host PC that the host didn’t intend to share, “Definitely not,” the spokesperson said, “unless they’re a hacker.”

Well, that answers that, doesn’t it? I’ll give the Opera spokesperson this: s/he’s honest about it, at least.

So we have 8 million target rich environments without any real security to prevent exploitation of vulnerabilities experts say is inevitable.

“Should vulnerabilities in Opera be discovered which permit code execution, an attacker would be able to turn on the file sharing capabilities of Opera Unite and share arbitrary content. Looking at the security track record of Opera, it's not a matter of if but when such a vulnerability will be discovered,” Sutton said.

I am not feeling good about this one at all.


STRAIGHT TO THE SOURCE
The potential for miscreants to easily go straight to the source, as it were, should cause alarm bells to be ringing a lot louder than they are simply because the user can enable access to a potentially vulnerable server without any real security in place to prevent exploitation.

Given the ease with which attackers have been able to infect websites with NineBall and Gumblar and a variety of other malware-focused hacks, it would not be difficult to imagine an infection which simply gathers information about the browser and sends that information off to a bot net for further exploitation. Such an infection would be infinitely more difficult to detect, as there would be no real evidence that the information was being gathered. Infections today are noticed because users are redirected or malware is introduced into their systems and it’s noticed by someone. Simply gathering the browser agent as a means to compile a list of targets is not necessarily going to include redirection or the download of anything. And once such a list is compiled the targets can be directly attacked.

Assuming a common vulnerability is discovered in Opera Unite, the attacks could potentially then turn 8 million (assuming our calculations and statistics are correct) unprotected users into a bot net capable of, well, just about anything.

Web site vulnerabilities are discovered almost by accident these days, with miscreants creating a generic attack and then blindly throwing it out against thousands of potentially vulnerable sites and hoping one of them will stick. That’s because the would-be attackers don’t have private access to the sites and applications they are attacking. But with Opera Unite, they can and will have private access to twiddle and muck and hack until they find what they need.

Web applications are traditionally deployed in an environment with additional security solutions in place to prevent attack and infection. While web applications acting as a “middleman” are generally better protected and therefore are almost an additional layer of security against client-infection, the infections out there today suggest it’s little better than nothing. But still better than nothing. The solutions available for a user to prevent such attacks and infections don’t even really exist, and even if they did the general user should not be expected to know how to configure something like mod_security or an IPS/IDS or a web application firewall. These users are completely at the mercy of Opera to ensure the safety of their environments against what certainly appears to be an imminent exploitation of the environment.

Given company responses to security concerns and Opera’s track record, thus far that’s not a comforting thought.

Unless you’re a hacker.

Follow me on Twitter View Lori's profile on SlideShare friendfeedicon_facebook AddThis Feed Button Bookmark and Share