Opera patches seven security flaws

Opera has issued an update to its web-browser software to fix seven vulnerabilities, two of them rated by the company as 'extremely severe'.

Opera 9.63, released for download on Tuesday, only applies to Microsoft Windows PCs and is described by the company as a 'recommended security upgrade'.

One of the two most serious flaws tackled by the update could allow an attacker to manipulate text input to cause a buffer overflow, and then execute arbitrary code, meaning that the attacker could take remote control of the computer. The second critical flaw relates to HTML parsing, and means that certain HTML could cause unexpected changes that trigger a crash. An intruder would have to use additional techniques to inject code, Opera said in an advisory.

Three other issues are rated 'highly severe'. Lost hostnames in file: URLs could be exploited to cause a buffer overflow, which could be used to execute arbitrary code. However, people would need to be tricked into manually opening a malicious URL for an attack to be launched, Opera said.

The second 'highly severe' vulnerability affects previews of news feeds, and could let an intruder see the contents of a user's feeds. The third vulnerability relates to incorrect handling of escaped content in built-in XSLT templates.

The remaining issues do not carry a severity rating, and relate to a problem that could reveal random data, and an issue with the embedding of SVG images.

Opera users can find more details on the security issues in the release notes for the update.