‘Extremely severe’ vulnerabilities in Opera browser

Opera 9.6.3 plugs serious security holes Opera has released version 9.63 of its browser as a “recommended security upgrade” that fixes at least seven security vulnerabilities, some with serious risk implications.

The most serious of the flaws could lead to remote code execution if an Opera user is tricked into surfing to a maliciously rigged Web page. Two of the bugs are rated “extremely severe” while three others are rated “highly severe.”

Details on the Opera 9.63 vulnerabilities:

  • Manipulating certain text-area contents can cause a buffer overflow, which may be exploited to execute arbitrary code. Rated extremely severe.
  • Certain HTML constructs can cause the resulting DOM to change unexpectedly, which triggers a crash. To inject code, additional techniques will have to be employed. Rated extremely severe.
  • Exceptionally long host names in file: URLs can cause a buffer overflow, which may be exploited to execute arbitrary code. Remote Web pages cannot refer to file: URLs, so successful exploitation involves tricking users into manually opening the exploit URL, or a local file that refers to it. Rated highly severe.
  • When Opera is previewing a news feed, some scripted URLs are not correctly blocked. These can execute scripts which are able to subscribe the user to any feed URL that the attacker chooses, and can also view the contents of any feeds that the user is subscribed to. These may contain sensitive information. Rated highly severe.
  • Built-in XSLT templates incorrectly handle escaped content and can cause it to be treated as markup. If a site accepts content from untrusted users, which it then displays using XSLT as escaped strings, this can allow scripted markup to be injected. The scripts will then be executed in the security context of that site. Rated highly severe.
  • Fixed an issue that could reveal random data, as reported by Matthew of Hispasec Sistemas. Details will be disclosed at a later date.
  • SVG images embedded using tags can no longer execute Java or plugin content, suggested by Chris Evans.

Opera users are strongly encouraged to download and apply the newest version.

[Source: zdnet]