Opera patches serious code exection flaw

Opera patches serious code exection flaw

Summary: Opera Software has joined the list of browser vendors shipping fixes for serious remote code execution vulnerabilities.The company's new Opera 9.

SHARE:
TOPICS: Security
1

Opera patches serious code exection flawOpera Software has joined the list of browser vendors shipping fixes for serious remote code execution vulnerabilities.

The company's new Opera 9.5.1 patches at least four security issues, the most serious being a flaw reported by Microsoft's Billy Rios that could be used to execute arbitrary code.

Opera is withholding details on the high-risk flaw until a later date but, with Rios involved, it's probably a safe bet this is a URI-handler flaw that could be exploited if a user is tricked into clicking on a rigged Web site.    Rios and my blogging collegue Nate McFeters have spent the better part of the last year warning about serious URI-handler security issues.

From the Opera 9.5.1 changelog:

  • Fixed an issue where <canvas> functions could reveal data from random places in memory, as reported by Philip Taylor. See our advisory.
  • Fixed an issue that could be used to execute arbitrary code, as reported by Billy Rios. Details will be disclosed at a later date.
  • Security status is now correctly set when navigating from HTTP to HTTPS.

The browser refresh also corrects an issue related to OCSP and CRLs that would lower security.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • URI/Protocol Handler Abuse

    I can confirm that Rios has been working on a protocol handler flaw on Opera. I'm not sure if this is what was patched... we've both been so busy lately we haven't been researching together as much as we did in the past year.

    I believe he had a couple of Opera issues he was working on, but I know the most promising was a protocol handler flaw.

    -Nate
    nmcfeters