-=PCTechTalk=- Browser Flaws Spoil Opera Tune
- From: "David F. Wooledge" <wooledge001@xxxxxxxx>
- To: "@freelistts PCTechTalk" <pctechtalk@xxxxxxxxxxxxx>, accmail Juno <juno_accmail@xxxxxxxxxxxxx>
- Date: Fri, 17 Jun 2005 02:02:47 -0700 (PDT)
Yahoo! News
Browser Flaws Spoil Opera Tune
Ryan Naraine - eWEEKThu Jun 16, 1:18 PM ET
Alternative Web browser company Opera Software on Thursday pushed out a
new version of its flagship browser to fix several cross-site scripting
vulnerabilities discovered by private security researchers.
The Norwegian company recommends that Windows users upgrade to Opera 8.0.1
to protect against malicious hacker attacks.
In all, the Opera update addresses five different vulnerabilities and also
fixes a range of other security-related bugs.
The most serious issue, according to Opera's changelog, is an
XMLHttpRequest redirect vulnerability that can be exploited by malicious
attackers to steal content or to perform actions on other Web sites with
the target user's privileges.
Security research outfit Secunia Inc., which discovered and reported the
flaw to Opera, rates it as "moderately critical."
Under normal circumstances, Secunia said it should not be possible for the
XMLHttpRequest object to access resources from outside the domain of which
the object was opened.
"However, due to insufficient validation of server side redirects, it is
possible to circumvent this restriction [in Opera]."
The Opera update also patches a separate cross-site scripting flaw that
could lead to the discovery of local files on vulnerable machines. This
bug is also rated "moderately critical" by Secunia.
Read more here about Opera's proposal for an IDN browser fix.
The vulnerability is caused due to Opera not properly restricting the
privileges of "javascript:" URLs when opened in new windows or frames, the
company explained.
A third vulnerability that is caused due to input not being sanitized was
also fixed. This could also put users at risk of cross-site scripting
attacks.
The Opera 8.0.1 update also provides a fix for a window injection bug that
can be exploited to spoof the content of Web sites.
Opera said the browser refresh also provides improved accuracy of the
security bar and modified security icon behavior to properly report the
security levels when a certificate is accepted manually.
Read more here about Opera raising the curtain on a new browser edition.
The security fixes come just two months after Opera shipped Version 8 for
Windows and Linux users, touting fast performance and new security
features.
The new Opera browser is available as a free download in four languages:
English, German, Dutch and Polish. A paid version that strips out the
embedded banner ad is also available.
Check out eWEEK.com's Security Center for the latest security news,
reviews and analysis. And for insights on security coverage around the
Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's
Weblog.
Copyright © 2005 Ziff Davis Inc. All Rights Reserved.
Content originally published in Ziff Davis Media publications is the
copyrighted property of Ziff Davis Media.
Copyright © 2005 Yahoo! Inc. All rights reserved.
Questions or Comments
Privacy Policy -Terms of Service - Copyright/IP Policy - Ad Feedback
--
<Please delete this line and everything below.>
To unsub or change your email settings:
//www.freelists.org/webpage/pctechtalk
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
Other related posts:
- » -=PCTechTalk=- Browser Flaws Spoil Opera Tune
