Opera browser update fixes five vulnerabilities

The vulnerabilities that were fixed by the 11.01 version allowed clickjacking, data detention, and remote code injection.

Last week, the French security company VUPEN issued a critical vulnerability alert for Opera 11 and 10.63 in Windows 7 and Windows XP SP3 about the Opera remote code injection vulnerability.

In the alert, VUPEN said the vulnerability “could be exploited by remote attackers to take complete control of a vulnerable system. This issue is caused by an integer truncation error within the Opera Internet Browser module ‘opera.dll’ when handling a HTML ‘select’ element containing an overly large number of children, which could allow remote attackers to execute arbitrary code by convincing a user to visit a specially crafted web page.”

The 11.01 version fixes that vulnerability, as well as a vulnerability that “made it possible to carry out clickjacking attacks against internal Opera, one that allowed web pages to gain limited access to files on a user’s computer,” and one whereby “email passwords were not immediately deleted when deleting private data,” Opera said. The updated version also removed support "javascript:" URLs in CSS -o-link values to make it easier for sites to filter untrusted CSS.

Version 11.01 also enables Mac operating system file quarantine. “This is the feature that sets a flag on downloaded files so the Finder can alert users when opening them that they were downloaded from a web site”, explained the Mac security blog.

What’s Hot on Infosecurity Magazine?