October 22, 2016

Opera Fixes SVG Vulnerability

(LiveHacking.Com) – Opera has released version 11.52 of its web browser to address an explotable vulnerability in the processing of SVG images. This release is in response to a new metasploit module which was released along with details of the vulnerability by security researcher José A. Vázquez.

Opera also issued a security advisory which describes the problem:

Certain font manipulations inside a dynamically added and specifically embedded SVG image can cause Opera to crash. Additional techniques can reliably be used in combination with this crash to allow execution of arbitrary code.

In a blog post, the company also responded to claims that Opera had intentionally decided not to fix this particular vulnerability as José had informed Opera of the problem several months ago, via the  SecuriTeam Secure Disclosure program, but it remain unresolved.

In the blog Sigbjørn Vik writes:

About 6 months ago (in April 2011), we were contacted by a security research group, on behalf of a researcher, giving details of a handful of bugs and issues that could be demonstrated in old releases of Opera. We confirmed most of these in the then-current releases and fixed the exploitable ones. These fixes were released in a regular security update, Opera 11.11.

Opera then informed SecuriTeam of the fixes and asked for more details about the remaining issue that it was unable to reproduce including a request for known ways to reproduce it in the then-current Opera release. However it receive no further information from SecuriTeam or José.

This then raises the question of responsible disclosure and if José did all he could to ensure that Opera had all the relevant details.

Also fixed is 11.52 are the following non-security related bugs:

  • Adjusting volume on a YouTube HTML5 Video causes freeze
  • Fixed a non-exploitable bug which allowed injection of untrusted markup into the X-Frame-Options error page, as reported by Masato Kinugawa.
  • Crashes when downloading via BitTorrent


New Metasploit Module Exposes Hole in Opera Web Browser

(LiveHacking.Com) – Security Researcher José A. Vázquez has released details of a vulnerability in the Opera web browser which is caused by bugs in its SVG processing code. What is more startling is that José actually reported this vulnerability and some others, via the SecuriTeam Secure Disclosure program over 10 months ago, but Opera have done nothing about it.

So now José has decided to go public and with the help of the guys over at metasploit.com he has also released a metasploit module.

Due to the nature of the vulnerability, visiting a specially crafted web page is enough to trigger the exploit and allow the attacker to run malicious code. However the exploit isn’t successful 100% of the time. According to his testing the succes rate differs on different version of Opera:

  • Opera 12 pre-alpha -> RCE on 6/10 attempts
  • Opera 11.51 -> RCE on 3/10 attempts
  • Opera 11.50 -> RCE on 3/10 attempts
  • Opera 11.11 -> RCE on 4/10 attempts
  • Opera 11.10 -> RCE on 4/10 attempts
  • Opera 11.01 -> RCE on 5/10 attempts
  • Opera 11.00 -> RCE on 4/10 attempts
Opera did fix a related problem that José submitted, however he reported several vulnerabilities at the same time and the SVG processing has so far been ignored.