A Windows 98 & ME forum. Win98banter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » Win98banter forum » Windows 98 » General
Site Map Home Authors List Search Today's Posts Mark Forums Read Web Partners

Opera for windows 98



 
 
Thread Tools Display Modes
  #11  
Old September 30th 09, 02:52 AM posted to microsoft.public.win98.gen_discussion
glee
External Usenet User
 
Posts: 2,458
Default Opera for windows 98

replies inline....
"98 Guy" wrote in message ...
snip
Opera 9 has the following unpatched vulnerabilities:

http://secunia.com/advisories/36414/

Details:

http://www.opera.com/support/kb/view/929/ (trivial)
http://www.opera.com/support/kb/view/930/ (trivial)
http://www.opera.com/support/kb/view/932/ (trivial)
http://www.opera.com/support/kb/view/934/ (I say trivial)



I wouldn't call either http://www.opera.com/support/kb/view/929/ or
http://www.opera.com/support/kb/view/934/ exactly trivial, though they
aren't critical.


For e-mail and usenet news reading, I use Netscape Communicator 4.79.
For web browsing, I use firefox 2.0.0.20. No known vulnerabilities to
either of those that have been shown to be in circulation or effective
when used in conjunction with Windows 98.


Just as an aside, because obviously users of Win98 will eventually have
few or no options left but to use End Of Life softwa

The fact that vulnerabilities are not reported for Firefox 2.0.0.20 does
not indicate that they don't exist, only that the product is considered
End Of Life and is no longer checked for vulnerabilities, AFAIK. Do you
have any links to show that v.2.0.0.20 is even being tested for any
recent vulnerabilities? Mozilla does not appear to check the old
versions any longer and I see no evidence that any other groups do,
including Secunia. Opera 9.64 is AFAIR only very recently EOL, or else
not EOL till sometime in October....I don't have time right now to look
it up.

Similarly, Communicator 4.79 has been EOL for quite some time, and no
one is checking it for vulnerabilities, so the fact they are not being
reported does not mean they don't exist.
--
Glen Ventura, MS MVP Windows, A+
http://dts-l.net/

  #12  
Old September 30th 09, 04:22 AM posted to microsoft.public.win98.gen_discussion
MEB[_18_]
External Usenet User
 
Posts: 537
Default Opera for windows 98

glee wrote:
replies inline....
"98 Guy" wrote in message ...
snip
Opera 9 has the following unpatched vulnerabilities:

http://secunia.com/advisories/36414/

Details:

http://www.opera.com/support/kb/view/929/ (trivial)
http://www.opera.com/support/kb/view/930/ (trivial)
http://www.opera.com/support/kb/view/932/ (trivial)
http://www.opera.com/support/kb/view/934/ (I say trivial)



I wouldn't call either http://www.opera.com/support/kb/view/929/ or
http://www.opera.com/support/kb/view/934/ exactly trivial, though they
aren't critical.


For e-mail and usenet news reading, I use Netscape Communicator 4.79.
For web browsing, I use firefox 2.0.0.20. No known vulnerabilities to
either of those that have been shown to be in circulation or effective
when used in conjunction with Windows 98.


Just as an aside, because obviously users of Win98 will eventually have
few or no options left but to use End Of Life softwa

The fact that vulnerabilities are not reported for Firefox 2.0.0.20 does
not indicate that they don't exist, only that the product is considered
End Of Life and is no longer checked for vulnerabilities, AFAIK. Do you
have any links to show that v.2.0.0.20 is even being tested for any
recent vulnerabilities? Mozilla does not appear to check the old
versions any longer and I see no evidence that any other groups do,
including Secunia. Opera 9.64 is AFAIR only very recently EOL, or else
not EOL till sometime in October....I don't have time right now to look
it up.


Additionally:
FF in other OSs such as Linux received additional updates to address a
few of the known vulnerabilities [such as the browser killer found
directly after the official .20 final release for 9X] using source,
however, even there FF has proceeded into the 3.+ versions [also
receiving further updates to address numerous vulnerabilities].

Reference:
This list ENDS with FF 2.0.0.20 release, *however*, it directs to FF 3.
for vulnerabilities fixed, that *WERE* part of the FF 2.0.0.20 version:
http://www.mozilla.org/security/know...firefox20.html
http://www.mozilla.org/security/know...firefox30.html


Similarly, Communicator 4.79 has been EOL for quite some time, and no
one is checking it for vulnerabilities, so the fact they are not being
reported does not mean they don't exist.

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
  #13  
Old September 30th 09, 04:22 AM posted to microsoft.public.win98.gen_discussion
MEB[_18_]
External Usenet User
 
Posts: 537
Default Opera for windows 98

glee wrote:
replies inline....
"98 Guy" wrote in message ...
snip
Opera 9 has the following unpatched vulnerabilities:

http://secunia.com/advisories/36414/

Details:

http://www.opera.com/support/kb/view/929/ (trivial)
http://www.opera.com/support/kb/view/930/ (trivial)
http://www.opera.com/support/kb/view/932/ (trivial)
http://www.opera.com/support/kb/view/934/ (I say trivial)



I wouldn't call either http://www.opera.com/support/kb/view/929/ or
http://www.opera.com/support/kb/view/934/ exactly trivial, though they
aren't critical.


For e-mail and usenet news reading, I use Netscape Communicator 4.79.
For web browsing, I use firefox 2.0.0.20. No known vulnerabilities to
either of those that have been shown to be in circulation or effective
when used in conjunction with Windows 98.


Just as an aside, because obviously users of Win98 will eventually have
few or no options left but to use End Of Life softwa

The fact that vulnerabilities are not reported for Firefox 2.0.0.20 does
not indicate that they don't exist, only that the product is considered
End Of Life and is no longer checked for vulnerabilities, AFAIK. Do you
have any links to show that v.2.0.0.20 is even being tested for any
recent vulnerabilities? Mozilla does not appear to check the old
versions any longer and I see no evidence that any other groups do,
including Secunia. Opera 9.64 is AFAIR only very recently EOL, or else
not EOL till sometime in October....I don't have time right now to look
it up.


Additionally:
FF in other OSs such as Linux received additional updates to address a
few of the known vulnerabilities [such as the browser killer found
directly after the official .20 final release for 9X] using source,
however, even there FF has proceeded into the 3.+ versions [also
receiving further updates to address numerous vulnerabilities].

Reference:
This list ENDS with FF 2.0.0.20 release, *however*, it directs to FF 3.
for vulnerabilities fixed, that *WERE* part of the FF 2.0.0.20 version:
http://www.mozilla.org/security/know...firefox20.html
http://www.mozilla.org/security/know...firefox30.html


Similarly, Communicator 4.79 has been EOL for quite some time, and no
one is checking it for vulnerabilities, so the fact they are not being
reported does not mean they don't exist.

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
  #14  
Old September 30th 09, 03:41 PM posted to microsoft.public.win98.gen_discussion
98 Guy
External Usenet User
 
Posts: 2,951
Default Opera for windows 98

glee wrote:

I wouldn't call either http://www.opera.com/support/kb/view/929/
or http://www.opera.com/support/kb/view/934/ exactly trivial,
though they aren't critical.


-----------------
929:

Sites using revoked intermediate certificates might be shown as secure

Opera does not check the revocation status for intermediate certificates
not served by the server. If the intermediate is revoked, this might not
impact the security rating in Opera, and the site might be shown as
secure.

934:

Opera accepts nulls and invalid wildcards in certificates

Certificate authorities are expected to vet all certificate
registrations, but may fail to prevent fraudulent or erroneous
registrations. Certificates which use a wild card immediately before the
top level domain, or nulls in the domain name, may pass validation
checks in Opera. Sites using such certificates may then incorrectly be
presented as secure.
------------------

Note that the above 2 issues were part of a group of 4 that were
announced about 3 weeks ago, and it does affect all versions of Opera
10.00.20090830. Those problems allow for "man-in-the-middle" spoofing
attempts, which themselves depend on a cascade of pre-existing
vulnerabilities and circumstances to be in place in order to
successfully gain control of an arbitrary system, which become much less
possible if the system in question is running Windows 98.

Opera version 9.64 is the last of the 9.xx versions. Version 9.62 had
this problem:

Opera 9.62 file:// Local Heap Overflow Exploit
http://www.vupen.com/english/advisories/2008/3183

Which was corrected in 9.63 or 9.64.

Then there is this:

Opera 9.64 (7400 nested elements) XML Parsing Remote Crash Exploit

Which affects version 9.64, but all it appears to do is to crach Opera,
not gain control of the system running it.

The fact that vulnerabilities are not reported for Firefox 2.0.0.20
does not indicate that they don't exist, only that the product is
considered End Of Life and is no longer checked for vulnerabilities,
AFAIK. Do you have any links to show that v.2.0.0.20 is even being
tested for any recent vulnerabilities?


If you're aware of ANY browser vulnerabilities that allow attackers to
gain control of remote systems which are NOT ultimately heap overflows
(resulting in the execution of arbitrary code), then please describe
them. It's my impression that all such browser vulnerabilities boil
down to heap overflows (even if they are java or script facilitated),
and there is no heap-overflow code that has ever been shown to work on
both win-9x and NT-based systems simultaneously. The point being that
code must be developed specifically for win-9x and be in a position to
be deployed in those cases where 9x systems are encountered - an
increasingly unlikely situation.

Mozilla does not appear to check the old versions
any longer and I see no evidence that any other
groups do, including Secunia.


Most vendors will simply issue a blanket statement along the lines that
a given vulnerability is present in the current - AND ALL PREVIOUS
VERSIONS without really testing all previous versions. That's
particularly true with Adobe Acrobat version 6.x family.

Opera 9.64 is AFAIR only very recently EOL, or else
not EOL till sometime in October....I don't have
time right now to look it up.


There is some indication that there is a 9.65 version circa August 2009
(google for Opera 9.65 and you'll get some hits). Specifically:

http://wakoopa.com/download/opera/9.65

Which might have been a beta version of Opera 10.

Similarly, Comunicator 4.79 has been EOL for quite some time,
and no one is checking it for vulnerabilities, so the fact
they are not being reported does not mean they don't exist.


Remember, I don't use communicator 4.79 for web browsing. Only email
and usenet, and as such it's a bulletproof app for that.
  #15  
Old September 30th 09, 03:41 PM posted to microsoft.public.win98.gen_discussion
98 Guy
External Usenet User
 
Posts: 2,951
Default Opera for windows 98

glee wrote:

I wouldn't call either http://www.opera.com/support/kb/view/929/
or http://www.opera.com/support/kb/view/934/ exactly trivial,
though they aren't critical.


-----------------
929:

Sites using revoked intermediate certificates might be shown as secure

Opera does not check the revocation status for intermediate certificates
not served by the server. If the intermediate is revoked, this might not
impact the security rating in Opera, and the site might be shown as
secure.

934:

Opera accepts nulls and invalid wildcards in certificates

Certificate authorities are expected to vet all certificate
registrations, but may fail to prevent fraudulent or erroneous
registrations. Certificates which use a wild card immediately before the
top level domain, or nulls in the domain name, may pass validation
checks in Opera. Sites using such certificates may then incorrectly be
presented as secure.
------------------

Note that the above 2 issues were part of a group of 4 that were
announced about 3 weeks ago, and it does affect all versions of Opera
10.00.20090830. Those problems allow for "man-in-the-middle" spoofing
attempts, which themselves depend on a cascade of pre-existing
vulnerabilities and circumstances to be in place in order to
successfully gain control of an arbitrary system, which become much less
possible if the system in question is running Windows 98.

Opera version 9.64 is the last of the 9.xx versions. Version 9.62 had
this problem:

Opera 9.62 file:// Local Heap Overflow Exploit
http://www.vupen.com/english/advisories/2008/3183

Which was corrected in 9.63 or 9.64.

Then there is this:

Opera 9.64 (7400 nested elements) XML Parsing Remote Crash Exploit

Which affects version 9.64, but all it appears to do is to crach Opera,
not gain control of the system running it.

The fact that vulnerabilities are not reported for Firefox 2.0.0.20
does not indicate that they don't exist, only that the product is
considered End Of Life and is no longer checked for vulnerabilities,
AFAIK. Do you have any links to show that v.2.0.0.20 is even being
tested for any recent vulnerabilities?


If you're aware of ANY browser vulnerabilities that allow attackers to
gain control of remote systems which are NOT ultimately heap overflows
(resulting in the execution of arbitrary code), then please describe
them. It's my impression that all such browser vulnerabilities boil
down to heap overflows (even if they are java or script facilitated),
and there is no heap-overflow code that has ever been shown to work on
both win-9x and NT-based systems simultaneously. The point being that
code must be developed specifically for win-9x and be in a position to
be deployed in those cases where 9x systems are encountered - an
increasingly unlikely situation.

Mozilla does not appear to check the old versions
any longer and I see no evidence that any other
groups do, including Secunia.


Most vendors will simply issue a blanket statement along the lines that
a given vulnerability is present in the current - AND ALL PREVIOUS
VERSIONS without really testing all previous versions. That's
particularly true with Adobe Acrobat version 6.x family.

Opera 9.64 is AFAIR only very recently EOL, or else
not EOL till sometime in October....I don't have
time right now to look it up.


There is some indication that there is a 9.65 version circa August 2009
(google for Opera 9.65 and you'll get some hits). Specifically:

http://wakoopa.com/download/opera/9.65

Which might have been a beta version of Opera 10.

Similarly, Comunicator 4.79 has been EOL for quite some time,
and no one is checking it for vulnerabilities, so the fact
they are not being reported does not mean they don't exist.


Remember, I don't use communicator 4.79 for web browsing. Only email
and usenet, and as such it's a bulletproof app for that.
  #16  
Old September 30th 09, 04:48 PM posted to microsoft.public.win98.gen_discussion
MEB[_18_]
External Usenet User
 
Posts: 537
Default Opera for windows 98

98 Guy wrote:
glee wrote:

I wouldn't call either http://www.opera.com/support/kb/view/929/
or http://www.opera.com/support/kb/view/934/ exactly trivial,
though they aren't critical.


-----------------
929:

Sites using revoked intermediate certificates might be shown as secure

Opera does not check the revocation status for intermediate certificates
not served by the server. If the intermediate is revoked, this might not
impact the security rating in Opera, and the site might be shown as
secure.

934:

Opera accepts nulls and invalid wildcards in certificates

Certificate authorities are expected to vet all certificate
registrations, but may fail to prevent fraudulent or erroneous
registrations. Certificates which use a wild card immediately before the
top level domain, or nulls in the domain name, may pass validation
checks in Opera. Sites using such certificates may then incorrectly be
presented as secure.
------------------

Note that the above 2 issues were part of a group of 4 that were
announced about 3 weeks ago, and it does affect all versions of Opera
10.00.20090830. Those problems allow for "man-in-the-middle" spoofing
attempts, which themselves depend on a cascade of pre-existing
vulnerabilities and circumstances to be in place in order to
successfully gain control of an arbitrary system, which become much less
possible if the system in question is running Windows 98.

Opera version 9.64 is the last of the 9.xx versions. Version 9.62 had
this problem:

Opera 9.62 file:// Local Heap Overflow Exploit
http://www.vupen.com/english/advisories/2008/3183

Which was corrected in 9.63 or 9.64.

Then there is this:

Opera 9.64 (7400 nested elements) XML Parsing Remote Crash Exploit

Which affects version 9.64, but all it appears to do is to crach Opera,
not gain control of the system running it.

The fact that vulnerabilities are not reported for Firefox 2.0.0.20
does not indicate that they don't exist, only that the product is
considered End Of Life and is no longer checked for vulnerabilities,
AFAIK. Do you have any links to show that v.2.0.0.20 is even being
tested for any recent vulnerabilities?


If you're aware of ANY browser vulnerabilities that allow attackers to
gain control of remote systems which are NOT ultimately heap overflows
(resulting in the execution of arbitrary code), then please describe
them. It's my impression that all such browser vulnerabilities boil
down to heap overflows (even if they are java or script facilitated),
and there is no heap-overflow code that has ever been shown to work on
both win-9x and NT-based systems simultaneously. The point being that
code must be developed specifically for win-9x and be in a position to
be deployed in those cases where 9x systems are encountered - an
increasingly unlikely situation.

Mozilla does not appear to check the old versions
any longer and I see no evidence that any other
groups do, including Secunia.


Most vendors will simply issue a blanket statement along the lines that
a given vulnerability is present in the current - AND ALL PREVIOUS
VERSIONS without really testing all previous versions. That's
particularly true with Adobe Acrobat version 6.x family.

Opera 9.64 is AFAIR only very recently EOL, or else
not EOL till sometime in October....I don't have
time right now to look it up.


There is some indication that there is a 9.65 version circa August 2009
(google for Opera 9.65 and you'll get some hits). Specifically:

http://wakoopa.com/download/opera/9.65

Which might have been a beta version of Opera 10.

Similarly, Comunicator 4.79 has been EOL for quite some time,
and no one is checking it for vulnerabilities, so the fact
they are not being reported does not mean they don't exist.


Remember, I don't use communicator 4.79 for web browsing. Only email
and usenet, and as such it's a bulletproof app for that.


Not true.
Overly broad statements which fail to address:
known un-patched vulnerabilities;
individual user activities;
external scripting/JAVA/other used within;
that the party making statement fails to appreciate the effect of
memory corruption, heap overflows, and other within the OS environment;
and other aspects that MUST ALL be taken under consideration when using
any application upon the Internet [and locally for that matter] or when
considering the effect of any particular vulnerability, exploit, or related:

http://www.google.com/search?hl=en&q...ulnerabilities
http://www.google.com/search?hl=en&q...ulnerabilities
http://www.google.com/search?q=commu...+vulnerability
http://www.google.com/search?hl=en&q...ulner ability
http://www.securityforumz.com/Worms-...opict5125.html
http://www.google.com/search?hl=en&q=NNTP+vulnerability
http://www.google.com/search?hl=en&q...+vulnerability
http://www.google.com/search?hl=en&q...rruption+hacks
http://www.google.com/search?hl=en&q...ulnerabilities
http://www.google.com/search?hl=en&q...rruption+hacks
http://www.google.com/search?hl=en&q...ulnerabilities

Please avoid using 98 Guy as a supposed expert for anything related to
security. This party apparently likes to discuss issues solely for
amusement or personal enjoyment.

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
  #17  
Old September 30th 09, 04:48 PM posted to microsoft.public.win98.gen_discussion
MEB[_18_]
External Usenet User
 
Posts: 537
Default Opera for windows 98

98 Guy wrote:
glee wrote:

I wouldn't call either http://www.opera.com/support/kb/view/929/
or http://www.opera.com/support/kb/view/934/ exactly trivial,
though they aren't critical.


-----------------
929:

Sites using revoked intermediate certificates might be shown as secure

Opera does not check the revocation status for intermediate certificates
not served by the server. If the intermediate is revoked, this might not
impact the security rating in Opera, and the site might be shown as
secure.

934:

Opera accepts nulls and invalid wildcards in certificates

Certificate authorities are expected to vet all certificate
registrations, but may fail to prevent fraudulent or erroneous
registrations. Certificates which use a wild card immediately before the
top level domain, or nulls in the domain name, may pass validation
checks in Opera. Sites using such certificates may then incorrectly be
presented as secure.
------------------

Note that the above 2 issues were part of a group of 4 that were
announced about 3 weeks ago, and it does affect all versions of Opera
10.00.20090830. Those problems allow for "man-in-the-middle" spoofing
attempts, which themselves depend on a cascade of pre-existing
vulnerabilities and circumstances to be in place in order to
successfully gain control of an arbitrary system, which become much less
possible if the system in question is running Windows 98.

Opera version 9.64 is the last of the 9.xx versions. Version 9.62 had
this problem:

Opera 9.62 file:// Local Heap Overflow Exploit
http://www.vupen.com/english/advisories/2008/3183

Which was corrected in 9.63 or 9.64.

Then there is this:

Opera 9.64 (7400 nested elements) XML Parsing Remote Crash Exploit

Which affects version 9.64, but all it appears to do is to crach Opera,
not gain control of the system running it.

The fact that vulnerabilities are not reported for Firefox 2.0.0.20
does not indicate that they don't exist, only that the product is
considered End Of Life and is no longer checked for vulnerabilities,
AFAIK. Do you have any links to show that v.2.0.0.20 is even being
tested for any recent vulnerabilities?


If you're aware of ANY browser vulnerabilities that allow attackers to
gain control of remote systems which are NOT ultimately heap overflows
(resulting in the execution of arbitrary code), then please describe
them. It's my impression that all such browser vulnerabilities boil
down to heap overflows (even if they are java or script facilitated),
and there is no heap-overflow code that has ever been shown to work on
both win-9x and NT-based systems simultaneously. The point being that
code must be developed specifically for win-9x and be in a position to
be deployed in those cases where 9x systems are encountered - an
increasingly unlikely situation.

Mozilla does not appear to check the old versions
any longer and I see no evidence that any other
groups do, including Secunia.


Most vendors will simply issue a blanket statement along the lines that
a given vulnerability is present in the current - AND ALL PREVIOUS
VERSIONS without really testing all previous versions. That's
particularly true with Adobe Acrobat version 6.x family.

Opera 9.64 is AFAIR only very recently EOL, or else
not EOL till sometime in October....I don't have
time right now to look it up.


There is some indication that there is a 9.65 version circa August 2009
(google for Opera 9.65 and you'll get some hits). Specifically:

http://wakoopa.com/download/opera/9.65

Which might have been a beta version of Opera 10.

Similarly, Comunicator 4.79 has been EOL for quite some time,
and no one is checking it for vulnerabilities, so the fact
they are not being reported does not mean they don't exist.


Remember, I don't use communicator 4.79 for web browsing. Only email
and usenet, and as such it's a bulletproof app for that.


Not true.
Overly broad statements which fail to address:
known un-patched vulnerabilities;
individual user activities;
external scripting/JAVA/other used within;
that the party making statement fails to appreciate the effect of
memory corruption, heap overflows, and other within the OS environment;
and other aspects that MUST ALL be taken under consideration when using
any application upon the Internet [and locally for that matter] or when
considering the effect of any particular vulnerability, exploit, or related:

http://www.google.com/search?hl=en&q...ulnerabilities
http://www.google.com/search?hl=en&q...ulnerabilities
http://www.google.com/search?q=commu...+vulnerability
http://www.google.com/search?hl=en&q...ulner ability
http://www.securityforumz.com/Worms-...opict5125.html
http://www.google.com/search?hl=en&q=NNTP+vulnerability
http://www.google.com/search?hl=en&q...+vulnerability
http://www.google.com/search?hl=en&q...rruption+hacks
http://www.google.com/search?hl=en&q...ulnerabilities
http://www.google.com/search?hl=en&q...rruption+hacks
http://www.google.com/search?hl=en&q...ulnerabilities

Please avoid using 98 Guy as a supposed expert for anything related to
security. This party apparently likes to discuss issues solely for
amusement or personal enjoyment.

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
  #18  
Old September 30th 09, 08:37 PM posted to microsoft.public.win98.gen_discussion
MEB[_18_]
External Usenet User
 
Posts: 537
Default Opera for windows 98

MEB wrote:
98 Guy wrote:
glee wrote:

I wouldn't call either http://www.opera.com/support/kb/view/929/
or http://www.opera.com/support/kb/view/934/ exactly trivial,
though they aren't critical.

-----------------
929:

Sites using revoked intermediate certificates might be shown as secure

Opera does not check the revocation status for intermediate certificates
not served by the server. If the intermediate is revoked, this might not
impact the security rating in Opera, and the site might be shown as
secure.

934:

Opera accepts nulls and invalid wildcards in certificates

Certificate authorities are expected to vet all certificate
registrations, but may fail to prevent fraudulent or erroneous
registrations. Certificates which use a wild card immediately before the
top level domain, or nulls in the domain name, may pass validation
checks in Opera. Sites using such certificates may then incorrectly be
presented as secure.
------------------

Note that the above 2 issues were part of a group of 4 that were
announced about 3 weeks ago, and it does affect all versions of Opera
10.00.20090830. Those problems allow for "man-in-the-middle" spoofing
attempts, which themselves depend on a cascade of pre-existing
vulnerabilities and circumstances to be in place in order to
successfully gain control of an arbitrary system, which become much less
possible if the system in question is running Windows 98.

Opera version 9.64 is the last of the 9.xx versions. Version 9.62 had
this problem:

Opera 9.62 file:// Local Heap Overflow Exploit
http://www.vupen.com/english/advisories/2008/3183

Which was corrected in 9.63 or 9.64.

Then there is this:

Opera 9.64 (7400 nested elements) XML Parsing Remote Crash Exploit

Which affects version 9.64, but all it appears to do is to crach Opera,
not gain control of the system running it.

The fact that vulnerabilities are not reported for Firefox 2.0.0.20
does not indicate that they don't exist, only that the product is
considered End Of Life and is no longer checked for vulnerabilities,
AFAIK. Do you have any links to show that v.2.0.0.20 is even being
tested for any recent vulnerabilities?

If you're aware of ANY browser vulnerabilities that allow attackers to
gain control of remote systems which are NOT ultimately heap overflows
(resulting in the execution of arbitrary code), then please describe
them. It's my impression that all such browser vulnerabilities boil
down to heap overflows (even if they are java or script facilitated),
and there is no heap-overflow code that has ever been shown to work on
both win-9x and NT-based systems simultaneously. The point being that
code must be developed specifically for win-9x and be in a position to
be deployed in those cases where 9x systems are encountered - an
increasingly unlikely situation.

Mozilla does not appear to check the old versions
any longer and I see no evidence that any other
groups do, including Secunia.

Most vendors will simply issue a blanket statement along the lines that
a given vulnerability is present in the current - AND ALL PREVIOUS
VERSIONS without really testing all previous versions. That's
particularly true with Adobe Acrobat version 6.x family.

Opera 9.64 is AFAIR only very recently EOL, or else
not EOL till sometime in October....I don't have
time right now to look it up.

There is some indication that there is a 9.65 version circa August 2009
(google for Opera 9.65 and you'll get some hits). Specifically:

http://wakoopa.com/download/opera/9.65

Which might have been a beta version of Opera 10.

Similarly, Comunicator 4.79 has been EOL for quite some time,
and no one is checking it for vulnerabilities, so the fact
they are not being reported does not mean they don't exist.

Remember, I don't use communicator 4.79 for web browsing. Only email
and usenet, and as such it's a bulletproof app for that.


Not true.
Overly broad statements which fail to address:
known un-patched vulnerabilities;
individual user activities;
external scripting/JAVA/other used within;
that the party making statement fails to appreciate the effect of
memory corruption, heap overflows, and other within the OS environment;
and other aspects that MUST ALL be taken under consideration when using
any application upon the Internet [and locally for that matter] or when
considering the effect of any particular vulnerability, exploit, or related:

http://www.google.com/search?hl=en&q...ulnerabilities
http://www.google.com/search?hl=en&q...ulnerabilities
http://www.google.com/search?q=commu...+vulnerability
http://www.google.com/search?hl=en&q...ulner ability
http://www.securityforumz.com/Worms-...opict5125.html
http://www.google.com/search?hl=en&q=NNTP+vulnerability
http://www.google.com/search?hl=en&q...+vulnerability
http://www.google.com/search?hl=en&q...rruption+hacks
http://www.google.com/search?hl=en&q...ulnerabilities
http://www.google.com/search?hl=en&q...rruption+hacks
http://www.google.com/search?hl=en&q...ulnerabilities

Please avoid using 98 Guy as a supposed expert for anything related to
security. This party apparently likes to discuss issues solely for
amusement or personal enjoyment.


ADDENDUM pursuant other segments of the 98 Guy post:

September 29th, 2009
Research: Small DIY botnets prevalent in enterprise networks
http://blogs.zdnet.com/security/?p=4485&tag=nl.e539

September 30th, 2009
New botnet hides commands as JPEG images
http://blogs.zdnet.com/security/?p=4507

September 29th, 2009
Chinese hackers launch targeted attacks against foreign correspondents
http://blogs.zdnet.com/security/?p=4476

Security
http://news.cnet.com/8300-1009_3-83-...goryId=9729342

CERTIFICATES:
http://www.google.com/search?&q=spac...certifica tes
http://www.google.com/search?hl=en&q...s&start=0&sa=N
http://linux.die.net/man/1/x509

An example for hack able:
Pine+OpenSSL HOWTO
http://www.madboa.com/geek/pine-ssl/

Dan Kaminsky shows how to hack and mimic legitimate SSL certificates
http://www.searchsecurityasia.com/co...l-certificates

http://www.sslshopper.com/article-de...g-firefox.html

http://www.channelregister.co.uk/200...traffic_study/

*CAUTION* [duh, these may contain hacks leveraged against you or
examples of same]:
http://hackaday.com/2009/07/29/black...ll-characters/
http://www.ethicalhacker.net/content/view/31/24/
Wireless hack,Wifi hack & security
http://thewifihack.com/blog/
eXploiting Local Stack on Windows
http://www.hackinthebox.org/modules....rder=0&thold=0

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
  #19  
Old September 30th 09, 08:37 PM posted to microsoft.public.win98.gen_discussion
MEB[_18_]
External Usenet User
 
Posts: 537
Default Opera for windows 98

MEB wrote:
98 Guy wrote:
glee wrote:

I wouldn't call either http://www.opera.com/support/kb/view/929/
or http://www.opera.com/support/kb/view/934/ exactly trivial,
though they aren't critical.

-----------------
929:

Sites using revoked intermediate certificates might be shown as secure

Opera does not check the revocation status for intermediate certificates
not served by the server. If the intermediate is revoked, this might not
impact the security rating in Opera, and the site might be shown as
secure.

934:

Opera accepts nulls and invalid wildcards in certificates

Certificate authorities are expected to vet all certificate
registrations, but may fail to prevent fraudulent or erroneous
registrations. Certificates which use a wild card immediately before the
top level domain, or nulls in the domain name, may pass validation
checks in Opera. Sites using such certificates may then incorrectly be
presented as secure.
------------------

Note that the above 2 issues were part of a group of 4 that were
announced about 3 weeks ago, and it does affect all versions of Opera
10.00.20090830. Those problems allow for "man-in-the-middle" spoofing
attempts, which themselves depend on a cascade of pre-existing
vulnerabilities and circumstances to be in place in order to
successfully gain control of an arbitrary system, which become much less
possible if the system in question is running Windows 98.

Opera version 9.64 is the last of the 9.xx versions. Version 9.62 had
this problem:

Opera 9.62 file:// Local Heap Overflow Exploit
http://www.vupen.com/english/advisories/2008/3183

Which was corrected in 9.63 or 9.64.

Then there is this:

Opera 9.64 (7400 nested elements) XML Parsing Remote Crash Exploit

Which affects version 9.64, but all it appears to do is to crach Opera,
not gain control of the system running it.

The fact that vulnerabilities are not reported for Firefox 2.0.0.20
does not indicate that they don't exist, only that the product is
considered End Of Life and is no longer checked for vulnerabilities,
AFAIK. Do you have any links to show that v.2.0.0.20 is even being
tested for any recent vulnerabilities?

If you're aware of ANY browser vulnerabilities that allow attackers to
gain control of remote systems which are NOT ultimately heap overflows
(resulting in the execution of arbitrary code), then please describe
them. It's my impression that all such browser vulnerabilities boil
down to heap overflows (even if they are java or script facilitated),
and there is no heap-overflow code that has ever been shown to work on
both win-9x and NT-based systems simultaneously. The point being that
code must be developed specifically for win-9x and be in a position to
be deployed in those cases where 9x systems are encountered - an
increasingly unlikely situation.

Mozilla does not appear to check the old versions
any longer and I see no evidence that any other
groups do, including Secunia.

Most vendors will simply issue a blanket statement along the lines that
a given vulnerability is present in the current - AND ALL PREVIOUS
VERSIONS without really testing all previous versions. That's
particularly true with Adobe Acrobat version 6.x family.

Opera 9.64 is AFAIR only very recently EOL, or else
not EOL till sometime in October....I don't have
time right now to look it up.

There is some indication that there is a 9.65 version circa August 2009
(google for Opera 9.65 and you'll get some hits). Specifically:

http://wakoopa.com/download/opera/9.65

Which might have been a beta version of Opera 10.

Similarly, Comunicator 4.79 has been EOL for quite some time,
and no one is checking it for vulnerabilities, so the fact
they are not being reported does not mean they don't exist.

Remember, I don't use communicator 4.79 for web browsing. Only email
and usenet, and as such it's a bulletproof app for that.


Not true.
Overly broad statements which fail to address:
known un-patched vulnerabilities;
individual user activities;
external scripting/JAVA/other used within;
that the party making statement fails to appreciate the effect of
memory corruption, heap overflows, and other within the OS environment;
and other aspects that MUST ALL be taken under consideration when using
any application upon the Internet [and locally for that matter] or when
considering the effect of any particular vulnerability, exploit, or related:

http://www.google.com/search?hl=en&q...ulnerabilities
http://www.google.com/search?hl=en&q...ulnerabilities
http://www.google.com/search?q=commu...+vulnerability
http://www.google.com/search?hl=en&q...ulner ability
http://www.securityforumz.com/Worms-...opict5125.html
http://www.google.com/search?hl=en&q=NNTP+vulnerability
http://www.google.com/search?hl=en&q...+vulnerability
http://www.google.com/search?hl=en&q...rruption+hacks
http://www.google.com/search?hl=en&q...ulnerabilities
http://www.google.com/search?hl=en&q...rruption+hacks
http://www.google.com/search?hl=en&q...ulnerabilities

Please avoid using 98 Guy as a supposed expert for anything related to
security. This party apparently likes to discuss issues solely for
amusement or personal enjoyment.


ADDENDUM pursuant other segments of the 98 Guy post:

September 29th, 2009
Research: Small DIY botnets prevalent in enterprise networks
http://blogs.zdnet.com/security/?p=4485&tag=nl.e539

September 30th, 2009
New botnet hides commands as JPEG images
http://blogs.zdnet.com/security/?p=4507

September 29th, 2009
Chinese hackers launch targeted attacks against foreign correspondents
http://blogs.zdnet.com/security/?p=4476

Security
http://news.cnet.com/8300-1009_3-83-...goryId=9729342

CERTIFICATES:
http://www.google.com/search?&q=spac...certifica tes
http://www.google.com/search?hl=en&q...s&start=0&sa=N
http://linux.die.net/man/1/x509

An example for hack able:
Pine+OpenSSL HOWTO
http://www.madboa.com/geek/pine-ssl/

Dan Kaminsky shows how to hack and mimic legitimate SSL certificates
http://www.searchsecurityasia.com/co...l-certificates

http://www.sslshopper.com/article-de...g-firefox.html

http://www.channelregister.co.uk/200...traffic_study/

*CAUTION* [duh, these may contain hacks leveraged against you or
examples of same]:
http://hackaday.com/2009/07/29/black...ll-characters/
http://www.ethicalhacker.net/content/view/31/24/
Wireless hack,Wifi hack & security
http://thewifihack.com/blog/
eXploiting Local Stack on Windows
http://www.hackinthebox.org/modules....rder=0&thold=0

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Win 98 Firefox Users Should Consider Opera 9.27 smith[_3_] General 13 July 26th 08 04:48 PM
Opera 9.5 Note smith General 0 June 21st 08 08:58 AM
opera and mozillla are not working [email protected] General 2 June 7th 08 09:49 PM
Running scripts in Opera like in IE Larry General 2 June 26th 06 08:28 AM
Free OPERA registration FACE Improving Performance 0 August 31st 05 03:15 PM


All times are GMT +1. The time now is 10:35 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 Win98banter.
The comments are property of their posters.