The Security Side of Opera 10.63 for Windows
Article by George Norman
On 12 Oct 2010
A few hours ago today Opera Software, the Norwegian developer we all know as the driving force behind the Opera browser, announced the release of Opera 10.63. As described by the developer, this latest release is a security and stability upgrade. All users are advised to update their Opera browser to the latest version to stay safe and protected.

You can get the latest Opera version directly from within the browser by clicking the Opera menu -> Help -> Check for updates. Or you can download the latest Opera version (for Windows, Mac and *nix) here.

Advertising

On the Windows front, Opera 10.63 comes with fixes for 5 security issues. Here are the details Opera provided on these security issues.

Title: Cross-domain checks may be bypassed, allowing limited data theft using CSS
Severity: Moderate
Description: In some cases, files that do not contain CSS may be partially interpreted as CSS. It is possible to make Opera incorrectly treat remote CSS files as if they were CSS files from the document-origin server, allowing the interpreted parts of a remote file to be read by scripts, leading to the possibility of cross-domain data theft.
Credit: Isaac Dawson

Title: Manipulating the window can be used to spoof the page address
Severity: Low
Description: Web page scripts can be used to alter the size of the browser window. In some cases, this manipulation can cause the wrong part of the Web page address to be displayed in the Address Bar, so that the part that is initially visible to the user is not the start of the address, and may contain content that the user thinks is a different page address.

Title: Reloads and redirects can allow spoofing and cross site scripting
Severity: Critical
Description: Scripts on a page are supposed to be restricted so that they can only interact with other pages from the same domain and security context. Carefully timed reloads and redirects, when combined with appropriate caching, can cause scripts to execute in the wrong security context in Opera. This allows cross site scripting (XSS). In some cases, the address bar will also show the address of the target page. With minimal user interaction, this particular XSS vector may also be used to modify Opera's configuration, and this may in turn be used to execute arbitrary code on the computer.

Title: Private video streams can be intercepted
Severity: Moderate
Description: Video content may be used as filler content for a HTML5 canvas, if the video format is natively supported by Opera. If the video and page are from the same site, the content of the canvas can be safely read out by scripts. In some cases, Opera does not check the video's origin correctly, and may allow videos from unrelated sites to be used as canvas content, without protecting the content from scripts. Provided that an attacker knows the address of a private video stream that the user has access to, and they can convince the user to open a malicious page, they can extract and read the frames of that video via the canvas, and send them to their chosen destination.
Credit: Nirankush Panchbhai of Microsoft Vulnerability Research (MSVR)

Title: JavaScript might run in the wrong context if loaded from error page
Severity: Moderate
Description: If Opera is sent to an invalid URL, an error page will be displayed along with a link to the URL. The URL linked to might run scripts, and in some cases these scripts might be run in the wrong security context. This can be used to execute scripts in the context of an unrelated domain, which allows cross-site scripting. To exploit this vulnerability, an attacker must get the user to interact with a specially crafted error page.

The complete changelog for Opera 10.63 for Windows is available here (Mac here and *nix here).



Tags: Opera Software, Opera 10.63
About the author: George Norman
George is a news editor.
You can follow him on Google+, Facebook or Twitter

I Hope you LIKE this blog post! Thank you!
What do YOU have to say about this
blog comments powered by Disqus
Popular News
By George Norman on 17 Aug 2017
With the blockbuster movie season upon us, Sony decided to celebrate the occasion with a sale: the Attack of the Blockbusters Sale that offers discounts of up to 50% (60% if you’re a PlayStation Plus member) on a ton of PS4 video games.
By George Norman on 17 Aug 2017
Samsung’s new T5 portable solid-state drive (PSSD) uses the latest 64-layer V-NAND technology, offers between 250GB and 2TB of storage capacity, has a lightweight and shock-resistant design that’s smaller than the average business card, and delivers industry-leading transfer speeds of up to 540 MB/s.
Related News
By George Norman on 14 Aug 2017
Opera Max, the Android app that uses compression technology to help you save data and get up to 50% more from your data plan, has been discontinued. The app is no longer featured on Opera.com and it’s no longer listed on Google Play.
Sponsored Links
Hot Software Updates
Top Downloads
Become A Fan!
Link To Us!
The Security Side of Opera 10.63 for Windows
HTML Linking Code