July 25, 2014

Opera 11.64 Released to Close Arbitrary Code Execution Vulnerability

(LiveHacking.Com) – The latest version of the Opera web browser has been released with security and stability fixes. The latest version of the 11.6x series, dubbed 11.64, closes a serious security hole that, if exploited, could allow attackers to execute malicious code on a victim’s system.

The vulnerability, which was reported by Andrey Stroganov, revolves around certain undisclosed URL constructs. These URLs can cause Opera to allocate the wrong amount of memory (for storing the address) and when the browser attempts to store the address in that memory an overwrite occurs. The over written data is attacker-controlled which means it could lead to a crash, or even arbitrary code execution. Opera is saying that although “11.64 does not contain many bug fixes”, it is a recommended security update.

Opera 11.64 also has some bug fixes including some crashes and a bad nsl bug some people get on e.g PayPal and eBay.

The full change log for each of the support platforms can be found here:
Opera 11.64 for Windows changelog
Opera 11.64 for Mac changelog
Opera 11.64 for UNIX changelog

For those wondering what happened to 11.63, it was released, but only for the Mac. Opera 11.64 is available to download for Windows, Mac OS X, Linux, FreeBSD and Solaris.

New Version of Opera Released to Fix Cross-site Scripting Vulnerability

(LiveHacking.Com) – Opera 11.61 has been released and it is recommended that all users upgrade to the latest version to benefit from the security and stablilty changes. With regards to security, Opera 11.61 fixes two security issues:

  • An issue where manipulation of framed content can allow cross-site scripting.
  • An issue where script events could be used to reveal the presence of local files.

The cross site script issue is the worse of the two and has been given a “High” vulnerability rating. According to the advisory “pages from unrelated sites should not be able to interact with the contents of each other – known as the same-origin policy. Certain manipulations of framed content, made before loading a target site in a frame, can cause Opera not to correctly apply this restriction. This allows malicious sites to perform cross-site scripting attacks against arbitrary target sites, executing scripts in the context of that target site.”

The other issue, which has a “Low” rating, fixes an issue where remote web pages could detect what types of files a user has on their local machine. The advisory reports that “certain types of HTML elements may behave differently when they attempt to reference local files that exist. The attempt to load the local file will be blocked, but different JavaScript events may fire, allowing the presence of the local file to be detected. The contents of the local file will not be exposed, and the attacker will need to be able to guess the path to the local file in order to check for its existence.”

Other non-security related changes include an update to the default Speed Dials as well as fixes for the built-in email client along with stability (crashing) fixes. More details about the update can be found in the WindowsMac and UNIX change logs. Opera 11.61 is available to download now.

Opera Fixes SVG Vulnerability

(LiveHacking.Com) - Opera has released version 11.52 of its web browser to address an explotable vulnerability in the processing of SVG images. This release is in response to a new metasploit module which was released along with details of the vulnerability by security researcher José A. Vázquez.

Opera also issued a security advisory which describes the problem:

Certain font manipulations inside a dynamically added and specifically embedded SVG image can cause Opera to crash. Additional techniques can reliably be used in combination with this crash to allow execution of arbitrary code.

In a blog post, the company also responded to claims that Opera had intentionally decided not to fix this particular vulnerability as José had informed Opera of the problem several months ago, via the  SecuriTeam Secure Disclosure program, but it remain unresolved.

In the blog Sigbjørn Vik writes:

About 6 months ago (in April 2011), we were contacted by a security research group, on behalf of a researcher, giving details of a handful of bugs and issues that could be demonstrated in old releases of Opera. We confirmed most of these in the then-current releases and fixed the exploitable ones. These fixes were released in a regular security update, Opera 11.11.

Opera then informed SecuriTeam of the fixes and asked for more details about the remaining issue that it was unable to reproduce including a request for known ways to reproduce it in the then-current Opera release. However it receive no further information from SecuriTeam or José.

This then raises the question of responsible disclosure and if José did all he could to ensure that Opera had all the relevant details.

Also fixed is 11.52 are the following non-security related bugs:

  • Adjusting volume on a YouTube HTML5 Video causes freeze
  • Fixed a non-exploitable bug which allowed injection of untrusted markup into the X-Frame-Options error page, as reported by Masato Kinugawa.
  • Crashes when downloading via BitTorrent

 

New Metasploit Module Exposes Hole in Opera Web Browser

(LiveHacking.Com) - Security Researcher José A. Vázquez has released details of a vulnerability in the Opera web browser which is caused by bugs in its SVG processing code. What is more startling is that José actually reported this vulnerability and some others, via the SecuriTeam Secure Disclosure program over 10 months ago, but Opera have done nothing about it.

So now José has decided to go public and with the help of the guys over at metasploit.com he has also released a metasploit module.

Due to the nature of the vulnerability, visiting a specially crafted web page is enough to trigger the exploit and allow the attacker to run malicious code. However the exploit isn’t successful 100% of the time. According to his testing the succes rate differs on different version of Opera:

  • Opera 12 pre-alpha -> RCE on 6/10 attempts
  • Opera 11.51 -> RCE on 3/10 attempts
  • Opera 11.50 -> RCE on 3/10 attempts
  • Opera 11.11 -> RCE on 4/10 attempts
  • Opera 11.10 -> RCE on 4/10 attempts
  • Opera 11.01 -> RCE on 5/10 attempts
  • Opera 11.00 -> RCE on 4/10 attempts
Opera did fix a related problem that José submitted, however he reported several vulnerabilities at the same time and the SVG processing has so far been ignored.

Opera 11.51 Released – Closes Security hole & Adds OS X Lion Fullscreen Support

(LiveHacking.Com) - Opera has released version 11.51 of its web browser to fix a security hole and add support for full screen support on OS X Lion. The security related problem fixed in this release is that unsecured web content may appear to be secure or trusted.

According to the security advisory: “When certain content is loaded and manipulated in a specific sequence, it can cause Opera to display the security information from the loaded resources in the address field and page information dialog. This allows a malicious page to display the security information from a secure or trusted third party, instead of its own security information.”

11.51 also fixes a low severity issue, as reported by Thai Duong and Juliano Rizzo; details of which will be disclosed at a later date.

More details can be found in the WindowsMac and Unix change logs. Opera 11.51 is available to download for Windows, Mac OS X, Linux (including a PowerPC version), Solaris and FreeBSD.

 

NSSLab Report Shows That IE Still Best At Blocking Socially Engineered Malware

 

(LiveHacking.Com) - NSS Labs has released its latest Web Browser Security Comparative Test Reports against Socially-Engineered Malware for the third quarter of 2011. The report examines the ability of the top five web browsers to protect users from websites that look harmless but actually are designed to trick visitors into downloading and installing malware.

According to a recent study by AVG, users are four times more likely to be tricked into downloading malware than be compromised by a vulnerability.

The report found that Windows Internet Explorer 9 (IE9) caught an exceptional 99.2% of live threats (96% with the SmartScreen URL reputation and an additional 3.2% with Application Reputation). Google Chrome 12 caught 13.2% of the live threats, four times more that it managed during the Q3 2010 global test. Apple Safari 5 and Firefox both caught 7.6% of the live threats. Opera 11 caught the lowest number of threats, just 6.1%.

The full report can be downloaded from the RSS Lab’s website (download PDF) and unlike previous reports this latest report was not paid for by Microsoft.

Opera Fix Large HTML Form Vulnerability and Release Opera 11.01

Opera LogoA few days ago we wrote about a crash in the Opera web browser that could lead to memory corruption and leave the browser open for arbitrary code to be executed. The bug was reported by Jordi Chancel on January 7th and revolves around an integer truncation error when handling a HTML “select” element containing an overly large number of children.

Shortly after publishing our post Opera Software left us a comment:

From Opera Software: The newest version of the Opera desktop browser released today, 11.01, contains a security fix for this bug. You can download Opera 11.01 from http://www.opera.com/browser/

According to the 11.01 change log, six security issues where fixed in the 11.01 release including “fixed an issue where large form inputs could allow execution of arbitrary code, as reported by Jordi Chancel”.

The advisory on Opera’s web site says that “when certain large form inputs appear on a web page, they can cause Opera to crash. In some cases, the crash can lead to memory corruption, which could be used to execute code. To inject code, additional techniques will have to be employed.” They also go on to thank Jordi Chancel for reporting the issue.

Opera 11 was released last month and introduced tab stacking, extensions, visual mouse gestures and most importantly, from a security point of view, a redesigned address field which displays a clear badge indicating the security level of the web site.

Critical Vulnerabilities Found and Fixed in VLC Player but Opera Web Browser Not so Lucky Yet

Opera LogoTwo critical heap corruption vulnerabilities have been discovered in the
rarely used decoder for the CDG format in the VLC player. These index validation bugs could theoretically allow a maliciously crafted CDG video to corrupt the heap in a deliberate manner and potentially execute injected code.

As a response to these bugs, and a problem with the Real demuxer which could allow a remote denial of service attack, VLC V1.1.6 has been released. Other changes in V1.1.6 include faster Webm/VP8 decoding.

V1.1.5 of VLC was downloaded 58 million times since its release two months ago and the fixes are for potential exploitable vulnerabilities although no actual practical exploits have been documented. This can’t be said however for the Opera Web browser.

Back in January a bug report was posted by Jordi Chancel which identified a vulnerability in Opera’s handling of a HTML “select” element containing an overly large number of children. This bug could be exploited by remote attackers to take complete control of a vulnerable system.

It now appears that VUPEN have succeeded in using this exploit to inject and execute code. This now means that specially crafted web pages could exploit this vulnerability and infect Windows systems with malware. The bug has been confirmed in Opera 11.00 and earlier and 10.63 and earlier for Windows 7 and XP SP3. At present there’s no patch or update for the problem.