Wii

Opera Browser Vulnerability Affects Wii Internet Channel

by Aaron Kaluszka - January 6, 2007, 9:16 pm PST
Total comments: 12 Source: Opera Advisory

A recently revealed vulnerability in the desktop version of Opera 9 can also crash the Wii version.

On January 5th, Opera Software revealed two security bugs in version 9.0x of its internet browser. Though patched in its most recently released version 9.10, the Internet Channel Trial Version used on the Wii is still affected since it is powered by Opera 9.0. iDefense Labs, discoverer of the bugs, notified Opera Software on November 16th of last year.

One of the bugs, a flaw in the way the browser handles a scalable vector graphics (SVG) JavaScript function, can not only crash the Opera web browser, but can also allow arbitrary code execution. However, it is unclear whether this code execution can happen on the Wii version, though the crash (a hard freeze of the system) does indeed occur. In theory, a malicious hacker could craft a special webpage, which when visited by a victim, would crash and potentially execute code on the Wii.

The crash occurs because Opera does not properly validate the type of object passed to the JavaScript SVG function "createSVGTransformFromMatrix."

Though Opera mentions that users that have JavaScript disabled are not affected by the problem, this is not a possibility on the Wii version, and Wii users will have to wait for a patch or the final version, which is currently scheduled for the end March.

Talkback

IceColdJanuary 06, 2007

Hopefully they include Flash 9 compatibility as well..

Smash_BrotherJanuary 06, 2007

Wow, that sucks...

It'd be nice if they threw us a bone and gave us a patch here before someone figures out a way to "brick" Wiis over the internet.

NephilimJanuary 06, 2007

There is no proof the code can be activated on the wii, only thing proven is it makes it crash

KDR_11kJanuary 06, 2007

The first problem for injecting code into the Wii is... Do you have a Wii compiler?

Nick DiMolaNick DiMola, Staff AlumnusJanuary 06, 2007

I figured it was only a matter of time before some sort of vulnerability was exposed with the Wii Internet Channel. Of course there is the issue of not being able to compile Wii executable code as of now, but having any vulnerabilities at all is typically not a good thing. Hopefully this bug is worked out and all is well again.

KDR_11kJanuary 06, 2007

Hm... arbitrary code injection on a console could be useful for homebrew...

WPack911January 06, 2007

Whatever it's no big whoop since it will be fixed in the final version anyway.

BranDonk KongJanuary 07, 2007

I was thinking the same thing as KDR. How awesome would it be if someone made a website that you could visit and the "vulnerability" would allow you to play homebrew software. Of course, there is no such thing as Wii homebrew at this time, just Gamecube homebrew that works on the Wii.

DjunknownJanuary 07, 2007

The Wii browser crashing happened to me few times. It happens if I'm on YouTube for an extended period of time. But this vulnerability has me paranoid...

Quote

The first problem for injecting code into the Wii is... Do you have a Wii compiler?


So that means no worries for the time being right? Surf and crash to your heart's content?

theratJanuary 07, 2007

will the thread stop running after i turn off my wii?

A compiler is not a prerequisite for injecting machine code.

AnyoneEBJanuary 07, 2007

Quote

Originally posted by: KDR_11k
The first problem for injecting code into the Wii is... Do you have a Wii compiler?


Yes.

Got a news tip? Send it in!
Advertisement
Advertisement