12/19/2008

More web browser security issues. Opera this time...

Kevin R. Smith
Co-Editor

Just when you thought it was safe to go back in the water after the last round of security alerts and news on Internet Explorer trojan vulnerabilities, Opera announced they have some bugs of their own to take care of, too, in versions prior to 9.63 of the web browser.

To date Opera has had one of the finest track records of computer security for any web browser. It also has a great reputation for reliable rendering and for overall speed and stability, but as with all software at any price, there are bugs.

In this particular case, there are several Opera security vulnerabilities. They range in severity from "Highly severe" to "Extremely severe" and cover the following issues:

Vulnerability	Rating	Details
Manipulating text input contents can allow execution of arbitrary code, as reported by Red XIII.	Extremely Severe	Text input manipulation, ID 920
HTML parsing flaw can cause Opera to execute arbitrary code, as reported by Alexios Fakos.	Extremely Severe	HTML parsing, ID 921
Long hostnames in file: URLs can cause execution of arbitrary code, as reported by Vitaly McLain.	Highly Severe	Long hostnames in file, ID 922
Script injection in feed preview can reveal contents of unrelated news feeds, as reported by David Bloom.	Highly Severe	News feed script injection, ID 923
Built-in XSLT templates can allow cross-site scripting, as reported by Robert Swiecki of the Google Security Team.	Highly Severe	Cross-site scripting (XSS), ID 924
Fixed an issue that could reveal random data, as reported by Matthew of Hispasec Sistemas. (Details to follow "at a later date".)	N/A	N/A

We salute Opera for their speedy response and (nearly) full disclosure, and lest it go unsaid, take a second to be certain you're up-to-date on your antivirus firewall software

Here are Opera's complete details of Opera 9.63 fixes.

Posted by Kevin R. Smith at 12:00:00 AM in Opera