AusCERT - AA-2008.0263 -- [Win][UNIX/Linux] -- A number of vulnerabilities have been identified in Opera prior to version 9.63

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AA-2008.0263 -- [Win][UNIX/Linux] -- A number of vulnerabilities have been identified in Opera prior to version 9.63
Date: 22 December 2008

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
AA-2008.0263                  AUSCERT Advisory

                             [Win][UNIX/Linux]
         A number of vulnerabilities have been identified in Opera
                           prior to version 9.63
                             22 December 2008
- ---------------------------------------------------------------------------

        AusCERT Advisory Summary
        ------------------------

Product:              Opera prior to 9.63
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Execute Arbitrary Code/Commands
                      Access Confidential Data
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-5679 CVE-2008-5680 CVE-2008-5681
                      CVE-2008-5682 CVE-2008-5683
Member content until: Thursday, January 15 2009

Revision History:     December 22 2008: Added CVE's
                      December 18 2008: Initial Release

OVERVIEW:

      A number of vulnerabilities have been identified in Opera prior to
      version 9.63.


IMPACT:

      According to the vendor, the vulnerabilities corrected in Opera 
      version 9.63 are:

      o  "Manipulating certain text-area contents can cause a buffer overflow, 
         which may be exploited to execute arbitrary code." [1]

      o  "Certain HTML constructs can cause the resulting DOM to change 
         unexpectedly, which triggers a crash. To inject code, additional 
         techniques will have to be employed." [2]

      o  "Exceptionally long host names in file: URLs can cause a buffer 
         overflow, which may be exploited to execute arbitrary code. Remote 
         Web pages cannot refer to file: URLs, so successful exploitation 
         involves tricking users into manually opening the exploit URL, or a 
         local file that refers to it." [3]

      o  "When Opera is previewing a news feed, some scripted URLs are not 
         correctly blocked. These can execute scripts which are able to 
         subscribe the user to any feed URL that the attacker chooses, and can 
         also view the contents of any feeds that the user is subscribed to. 
         These may contain sensitive information." [4]

      o  "Built-in XSLT templates incorrectly handle escaped content and can 
         cause it to be treated as markup. If a site accepts content from 
         untrusted users, which it then displays using XSLT as escaped 
         strings, this can allow scripted markup to be injected. The scripts 
         will then be executed in the security context of that site." [5]
      

MITIGATION:

      The vendor recommends upgrading to the latest version.


REFERENCES:

      [1] Advisory: Manipulating text intput contents can allow execution of 
          arbitrary code
          http://www.opera.com/support/kb/view/920/

      [2] Advisory: HTML parsing flaw can cause Opera to execute arbitrary code
          http://www.opera.com/support/kb/view/921/

      [3] Advisory: Long hostnames in file: URLs can cause execution of 
          arbitrary code
          http://www.opera.com/support/kb/view/922/

      [4] Advisory: Script injection in feed preview can reveal contents of 
          unrelated news feeds
          http://www.opera.com/support/kb/view/923/

      [5] Advisory: Built-in XSLT templates can allow cross-site scripting
          http://www.opera.com/support/kb/view/924/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSU8aVCh9+71yA2DNAQLbNAP/eHtqbb3DWyeeyOOtp3/+74p4XiaUULeR
vpJ1uFIGnXdTuavx82D9ql09RaL9nD5C+fmd3iVB6QftR15mOZlRVCB7X6LWJznU
aOYZXhXFZaj2E1znjnCLITWVbBrIeDb2l8ec73+6vxawKhyrba7LKIedDwZmpFkX
BqOM6SSvSCg=
=vCLH
-----END PGP SIGNATURE-----