Opera patches vulnerabilities

News by SC Staff

Opera has patched a vulnerability which is has deemed to be 'highly critical'.

Opera has patched a vulnerability which is has deemed to be ‘highly critical'.


A patch is available for the browser due to a vulnerability which can be exploited in the history search function. The flaw leaves Opera users at risk of attack if they just visit a malware loaded web page.


A further update will also fix a flaw involving the handling of javascript URLs in the Links panel, which left users at risk from cross-site scripting attacks when visiting web pages that contained frames.


Aviv Raff, who discovered the flaws, said in a blog: “The problem was that Opera did not sanitise specific parameters correctly, and an arbitrary script could be injected to this page.


“An attacker could then execute a script that will create an iframe which will open the opera:config local resource. And then, it will call a script within the opera:config page, which will change the settings and execute arbitrary code on the user's machine as explained previously.


While both vulnerabilities in the “History Page” are now fixed, the core problem which makes it possible to execute code from remote, still isn't. There is still no Same Origin Policy restriction between local resources in Opera. It is still possible for a script to access one local resource (e.g. opera:cache) from another (e.g. opera:config). In my submission to Opera I've asked them to fix this issue as well, and I really hope they will do so before other vulnerabilities will be found in more local resources.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews