Article

GreyMagic sings about Opera flaw

Shawna McAlearney, News Writer

Users of Opera 7.53 and prior need to upgrade to fix a "severe" security vulnerability in the Web browser that could allow read-access to victim's files and folders, cookie theft and URL spoofing (phishing). The flaw could also be used to track a user's browsing history and affects Opera running on Windows, Linux and Macintosh systems.

"This vulnerability in Opera is extremely severe, especially since it's a variation of a vulnerability we have reported over a year and a half ago," said Lee Dagon, head of research and development at Israel-based GreyMagic Software, which discovered the flaw. "Unfortunately, it wasn't fully patched and we can only hope that this time the patch will perform better and surround all potentially vulnerable objects."

In an e-mail interview, Dagon said it was "shockingly easy" to explore and steal information from users' hard drives with this vulnerability.

"The vulnerability is a new variant of an older vulnerability GreyMagic detected in February last year. This time the 'location' object isn't sufficiently protected from malicious attacks," Dagon said.

The February advisory described several flaws in Opera's model, one of which allowed an attacker to overwrite native and custom functions in a window. When the Web page executed the function, the attacker's code executed with the victim's privileges.

Opera version 7.01 tried to fix the problem by blocking write-access to objects on the victim window, but failed to block write-access

    Requires Free Membership to View

to the often-used "location" object, Dagon said. "By overwriting methods in this object, an attacker can gain immediate script access to any Web page that uses one of these methods. This includes both Web pages in foreign domains and the victim's local file system."

GreyMagic informed Opera of the vulnerability on July 22. Opera version 7.54 was released on Aug. 5 to address the flaw.

Opera is the third most popular browser after Internet Explorer and Mozilla/Firefox. According to the Opera Web site, there are more than 7 million Opera users.

The full GreyMagic advisory is available here.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: