Opera bitten by ‘extremely severe’ browser bug
Buried in the flurry of feature-related news surrounding the release of Opera 9.6 is the fact that the update fixes an “extremely severe” vulnerability that could expose Opera users to code execution attacks.
According to an Opera advisory, which is not mentioned anywhere in Opera’s giddy press release, there’s a patch out for an issue where specially crafted addresses could execute arbitrary code.
Here’s how Opera describes the vulnerability, which was discovered and reported by Matasano’s Chris Rohlf:
If a malicious page redirects Opera to a specially crafted address (URL), it can cause Opera to crash. Given sufficient address content, the crash could cause execution of code controlled by the attacking page.
Rohlf has more details on the Matasano Chargen blog:
In this case the vulnerability is based on a ’specially crafted URI’ which of course can be triggered by any attacker controlled content. It is reproducible on both x86 Linux and Win XP SP2 and Vista.
This flaw was found using some rudimentary fuzzing, simple stuff really. I basically whipped up a few lines of Javascript to create different URI’s with incrementing string lengths (yes I’m serious). And thanks to Immunity Debugger I was able to boil it down to a heap overflow in no time.
The offending URI was ‘http://BBB*BBB:password@example.com’. This took minimal effort to find and underscores the importance of simple fuzzing test cases being built into your SDLC.
The Opera 9.6 update also fixes a second security bug reported by ex-Zero Day blogger Nate McFeters.
Opera rates this bug as “highly severe” and warns that Java applets can be used to read sensitive information:
Once a Java applet has been cached, if a page can predict the cache path for that applet, it can load the applet from the cache, causing it to run in the context of the local machine. This allows it to read other cache files on the computer or perform other normally more restrictive actions. These files could contain sensitive information, which could then be sent to the attacker.
[Source: zdnet]
Post a Comment