"Extremely severe" issues addressed with Opera 9.63 update

By on

The security issues could lead to system access, disclosure of potentially sensitive information, cross-site scripting exploits, or a denial of service condition.

Opera has issued version 9.63 of its browser, which fixes six security issues, some of which could lead to system access, disclosure of potentially sensitive information, cross-site scripting (XSS) exploits, or a denial of service condition.

Opera classified two of the issues as “extremely severe,” three as “highly severe,” and did not classify one because its details were not yet disclosed. Opera recommended the update for security and stability reasons, according to its release notes.

Secunia issued an advisory about the update and also listed the issues as “highly critical.” US-CERT also issued an advisory recommending users upgrade to Opera version 9.63.

The vulnerabilities listed as "extremely severe" include: By manipulating certain text input content, buffer overflow could occur, enabling the execution of arbitrary code if exploited. Also, an HTML-parsing flaw could lead to the same unwanted result, the release notes from Opera said.

The vulnerabilities listed as "highly severe" include: A problem involving exceptionally long host names in files could also lead to buffer overflow, enabling the execution of arbitrary code if exploited. A problem involving the news feed preview could be exploited to disclose the content of subscribed news feeds or to subscribe the user to an arbitrary news feed. Also, a vulnerability in built-in XSLT templates can allow cross-site scripting.

Another error can be exploited to disclose random data, but details about that will be disclosed at a later date, the Opera release notes report.

Besides closing the vulnerabilities, the updated version restricts embedded SVG images from executing Java or plugin content. Secunia said this may prevent certain attacks.

The last time Opera updated its browser was in October. That update patched an issue with the "history search" page that left users open to a remote code execution exploit.



See original article on scmagazineus.com
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?