The Security Side of Opera 10.63 for Windows
A few hours ago today Opera Software, the Norwegian developer we all know as the driving force behind the Opera browser, announced the release of Opera 10.63. As described by the developer, this latest release is a security and stability upgrade. All users are advised to update their Opera browser to the latest version to stay safe and protected.
You can get the latest Opera version directly from within the browser by clicking the Opera menu -> Help -> Check for updates. Or you can download the latest Opera version (for Windows, Mac and *nix) here.
On the Windows front, Opera 10.63 comes with fixes for 5 security issues. Here are the details Opera provided on these security issues.
Title: Cross-domain checks may be bypassed, allowing limited data theft using CSS
Severity: Moderate
Description: In some cases, files that do not contain CSS may be partially interpreted as CSS. It is possible to make Opera incorrectly treat remote CSS files as if they were CSS files from the document-origin server, allowing the interpreted parts of a remote file to be read by scripts, leading to the possibility of cross-domain data theft.
Credit: Isaac Dawson
Title: Manipulating the window can be used to spoof the page address
Severity: Low
Description: Web page scripts can be used to alter the size of the browser window. In some cases, this manipulation can cause the wrong part of the Web page address to be displayed in the Address Bar, so that the part that is initially visible to the user is not the start of the address, and may contain content that the user thinks is a different page address.
Title: Reloads and redirects can allow spoofing and cross site scripting
Severity: Critical
Description: Scripts on a page are supposed to be restricted so that they can only interact with other pages from the same domain and security context. Carefully timed reloads and redirects, when combined with appropriate caching, can cause scripts to execute in the wrong security context in Opera. This allows cross site scripting (XSS). In some cases, the address bar will also show the address of the target page. With minimal user interaction, this particular XSS vector may also be used to modify Opera's configuration, and this may in turn be used to execute arbitrary code on the computer.
Title: Private video streams can be intercepted
Severity: Moderate
Description: Video content may be used as filler content for a HTML5 canvas, if the video format is natively supported by Opera. If the video and page are from the same site, the content of the canvas can be safely read out by scripts. In some cases, Opera does not check the video's origin correctly, and may allow videos from unrelated sites to be used as canvas content, without protecting the content from scripts. Provided that an attacker knows the address of a private video stream that the user has access to, and they can convince the user to open a malicious page, they can extract and read the frames of that video via the canvas, and send them to their chosen destination.
Credit: Nirankush Panchbhai of Microsoft Vulnerability Research (MSVR)
Title: JavaScript might run in the wrong context if loaded from error page
Severity: Moderate
Description: If Opera is sent to an invalid URL, an error page will be displayed along with a link to the URL. The URL linked to might run scripts, and in some cases these scripts might be run in the wrong security context. This can be used to execute scripts in the context of an unrelated domain, which allows cross-site scripting. To exploit this vulnerability, an attacker must get the user to interact with a specially crafted error page.
The complete changelog for Opera 10.63 for Windows is available here (Mac here and *nix here).
You can get the latest Opera version directly from within the browser by clicking the Opera menu -> Help -> Check for updates. Or you can download the latest Opera version (for Windows, Mac and *nix) here.
On the Windows front, Opera 10.63 comes with fixes for 5 security issues. Here are the details Opera provided on these security issues.
Title: Cross-domain checks may be bypassed, allowing limited data theft using CSS
Severity: Moderate
Description: In some cases, files that do not contain CSS may be partially interpreted as CSS. It is possible to make Opera incorrectly treat remote CSS files as if they were CSS files from the document-origin server, allowing the interpreted parts of a remote file to be read by scripts, leading to the possibility of cross-domain data theft.
Credit: Isaac Dawson
Title: Manipulating the window can be used to spoof the page address
Severity: Low
Description: Web page scripts can be used to alter the size of the browser window. In some cases, this manipulation can cause the wrong part of the Web page address to be displayed in the Address Bar, so that the part that is initially visible to the user is not the start of the address, and may contain content that the user thinks is a different page address.
Title: Reloads and redirects can allow spoofing and cross site scripting
Severity: Critical
Description: Scripts on a page are supposed to be restricted so that they can only interact with other pages from the same domain and security context. Carefully timed reloads and redirects, when combined with appropriate caching, can cause scripts to execute in the wrong security context in Opera. This allows cross site scripting (XSS). In some cases, the address bar will also show the address of the target page. With minimal user interaction, this particular XSS vector may also be used to modify Opera's configuration, and this may in turn be used to execute arbitrary code on the computer.
Title: Private video streams can be intercepted
Severity: Moderate
Description: Video content may be used as filler content for a HTML5 canvas, if the video format is natively supported by Opera. If the video and page are from the same site, the content of the canvas can be safely read out by scripts. In some cases, Opera does not check the video's origin correctly, and may allow videos from unrelated sites to be used as canvas content, without protecting the content from scripts. Provided that an attacker knows the address of a private video stream that the user has access to, and they can convince the user to open a malicious page, they can extract and read the frames of that video via the canvas, and send them to their chosen destination.
Credit: Nirankush Panchbhai of Microsoft Vulnerability Research (MSVR)
Title: JavaScript might run in the wrong context if loaded from error page
Severity: Moderate
Description: If Opera is sent to an invalid URL, an error page will be displayed along with a link to the URL. The URL linked to might run scripts, and in some cases these scripts might be run in the wrong security context. This can be used to execute scripts in the context of an unrelated domain, which allows cross-site scripting. To exploit this vulnerability, an attacker must get the user to interact with a specially crafted error page.
The complete changelog for Opera 10.63 for Windows is available here (Mac here and *nix here).
