Security & Privacy

Yesterday Opera released its latest web browser upgrade to version 12.10, offering Mac users new features to utilize the new capabilities of OS X Mountain Lion. Using Mountain Lion’s built-in share function, the updated web browser includes a new Share button in Opera’s address bar, as well as seeing Opera notifications in the Notifications Center. In addition to a number of new features and improved extensions, the new Opera 12.10 patches six security flaws including a cross-scripting vulnerability.

Opera will disclose details on two of the vulnerabilities, a high severity issue and a moderate severity issue, at a later date, according to the Opera 12.10 security bulletin. Details of the other four bug fixes are as follows:

An issue that could cause Opera not to correctly check for certificate revocation:

When accessing secure websites, Opera checks with a number of services to check if the website’s security certificate has been revoked. Normally, if Opera cannot check revocation status, it will not present the site as secure. In some cases, a failure in one of these services can cause Opera not to check other services. In this case, Opera might present the site as secure, even though it failed to complete checking the revocation status.

An issue where CORS requests could incorrectly retrieve contents of cross-origin pages:

CORS (Cross-Origin Resource Sharing) allows web pages to retrieve the contents of pages from other sites, with their permission, as they would appear for the current user. When requests are made in this way, the browser should only allow the page content to be retrieved if the target site sends the correct headers that give permission for their contents to be used in this way. Specially crafted requests may trick Opera into thinking that the target site has given permission when it had not done so. This can result in the contents of any target page being revealed to untrusted sites, including any sensitive information or session IDs contained within the source of those pages.

An issue where data URIs could be used to facilitate cross-site scripting:

Data URIs are only supposed to inherit the scripting origin from the site that creates them, such as by including them as the target of a link or an inline frame in the source of the document. Specific sequences of document and data URI loading can cause Opera to forget which document created the data URI, and to allow the data URI document to inherit the scripting origin of a target page instead. The data URI document would then be allowed to interact with the target page, instead of the document that created it, resulting in cross-site scripting (XSS).

An issue where specifically crafted SVG images could allow execution of arbitrary code:

Opera can display images created using the Scalable Vector Graphics (SVG) format. Specially crafted and malformed SVG images may cause Opera to crash when their documents are unloaded, and the crash may allow execution of malicious arbitrary code. To inject code, additional techniques will have to be employed.

Users can update the software using the program’s built-in updater (choose Opera > Check for Updates), through its auto-updater (this can be turned on in Preferences > Advanced > Security), or from the Opera website.