Opera Software ASA reports of multiple security fixes in
Opera, including an arbitrary code execute
vulnerability:
Opera for Linux, FreeBSD, and Solaris has a flaw in the
createPattern function that leaves old data that was in
the memory before Opera allocated it in the new
pattern. The pattern can be read and analyzed by
JavaScript, so an attacker can get random samples of the
user's memory, which may contain data.
Removing a specially crafted torrent from the download
manager can crash Opera. The crash is caused by an
erroneous memory access.
An attacker needs to entice the user to accept the
malicious BitTorrent download, and later remove it from
Opera's download manager. To inject code, additional means
will have to be employed.
Users clicking a BitTorrent link and rejecting the
download are not affected.
data: URLs embed data inside them, instead of linking to
an external resource. Opera can mistakenly display the end
of a data URL instead of the beginning. This allows an
attacker to spoof the URL of a trusted site.
Opera's HTTP authentication dialog is displayed when the
user enters a Web page that requires a login name and a
password. To inform the user which server it was that
asked for login credentials, the dialog displays the
server name.
The user has to see the entire server name. A truncated
name can be misleading. Opera's authentication dialog cuts
off the long server names at the right hand side, adding
an ellipsis (...) to indicate that it has been cut off.
The dialog has a predictable size, allowing an attacker
to create a server name which will look almost like a
trusted site, because the real domain name has been cut
off. The three dots at the end will not be obvious to all
users.
This flaw can be exploited by phishers who can set up
custom sub-domains, for example by hosting their own
public DNS.