Opera, Netscape ship 'critical' browser patches

Browser makers Opera and America Online (Netscape) have released patches to fix multiple vulnerabilities that expose millions of users to code execution and cross-site scripting attacks.

The Opera update, rated "highly critical" by Secunia, address two vulnerabilities that can lead to system compromise. All versions of Opera for Desktop prior to Opera 9.24 are affected.

The most serious of the two bugs is an issue that causes Opera to launch external e-mail or newsgroup clients incorrectly.

Opera's warning:

If a user has configured Opera to use an external newsgroup client or e-mail application, specially crafted Web pages can cause Opera to run that application incorrectly. In some cases this can lead to execution of arbitrary code.

The second issue is described as an error when the browser processes frames from different Web sites.

When accessing frames from different Web sites, specially crafted scripts can bypass the same-origin policy, and overwrite functions from those frames. If scripts on the page then run those functions, this can cause the script of the attacker's choice to run in the context of the target Web site.

Opera users are strongly encouraged to upgrade to version 9.24.

FINALLY, FIXES FROM NETSCAPE

A new version of America Online's Netscape Navigator browser, previously known simply as Netscape 9, has been released with fixes pulled from Mozilla Firefox.

Netscape, based on Firefox, had been missing patches since Firefox 2.0.0.4. The Firefox code base is now up to Firefox 2.0.0.7.

As is customary, AOL did not release a security advisory or mention any of the security patches for Netscape.

The only clue that the Firefox patches were rolled into this release is this line in the release notes: "Netscape Navigator 9.0 is based on Mozilla Firefox 2.0.0.7."