Critical Flaws Patched In Opera 9.61, New Zero-day Vulnerability Remains Unpatched
New Opera 9.61 makers correct an issue where History Search could be used to reveal browser history (rated extremely severe). Also fixed: a Fast Forward bug that allows cross-site scripting (highly severe) and an information disclosure flaw in news feeds (also highly severe). On the same day Opera shipped a browser update with patches for these three separate security vulnerabilities, hackers have already discussed a new zero-day flaw that exposes Windows users to remote code execution attacks.
A public discussion on the Full Disclosure mailing list exposed a zero-day vulnerability that could lead to cross-site scripting and even remote code execution attacks. The discussion began with this Roberto Suggi advisory on the History Search bug fixed in Opera 9.61 but quickly expanded to raise the possibility of code execution attacks.
Within hours, researcher Aviv Raff discovered a way to execute code from remote and released a harmless proof-of-concept exploit that launches the Windows calculator. Currently a separate exploit exists that launches harmful code remotely against fully patched versions of the Opera browser.
Until Opera can fix this new issue, users are strongly urged to consider a different browser or avoid clicking on links on untrusted Web pages.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.