Opera plugs nasty code execution hole

Summary:A new version of the cross-platform browser was released today to plug a highly critical code execution bug in the way Opera integrates support for BitTorrent downloads.

You can add Opera to the list of Web browsers singing the security blues.

A new version of the cross-platform browser was released today to plug a highly critical code execution bug in the way Opera integrates support for BitTorrent downloads.

The skinny from an iDefense alert:

When parsing a specially crafted BitTorrent header, Opera uses memory that has already been freed. This can result in an invalid object pointer being dereferenced, and may allow for the execution of arbitrary code. The vulnerability is triggered when the user right clicks on the transfer and removes it...

The attacker must persuade a vulnerable user into clicking a link to a BitTorrent file. The targeted user must subsequently remove the entry from the download pane. The requirement to remove the torrent is not considered to be a mitigating factor since it is natural for a user to attempt to do so when a transfer is not progressing.

This is not the first time a critical security problem has been flagged in Opera 9's support of BitTorrent downloads.

Opera has released its own advisory confirming the latest BitTorrent issue. A fix is available in the latest Opera 9.22.

Topics: Browser, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.